Information processing apparatus, information processing method, information processing system and recording medium

ABSTRACT

An information processing apparatus and an information processing method capable of preventing information from being copied illegally. where a hash function and a service key are stored in advance in an EEPROM of a DVD player serving as a source. In an BEPROM of a personal computer (PC) serving as a sink, on the other hand, its ID and a license key are stored beforehand. The DVD player requests the PC to transmit the ID. The DVD player then applies the hash function to data resulting from concatenation of the lID with the service key to generate a license key (=hash (ID ∥service_key)). Subsequently, the DVD player generates a source side common session key and encrypts the session key by using the generated license key. Then, the DVD player transmits the encrypted source side common session key to the PC. The PC decrypts the encrypted source side common session key by using the license key stored in its EEPROM to produce a sink side common session key which has a value equal to that of the source side common session key.

This is a divisional application of U.S. application Ser. No.09/059,812, filed Apr. 14, 1998 now U.S. Pat. No. 6,697,945.

BACKGROUND OF THE INVENTION

1. Field of the Invention

In general, the present invention relates to an information processingapparatus, an information processing method, an information processingsystem and a recording medium. More particularly, the present inventionrelates to an information processing apparatus, an informationprocessing method an information processing system and a recordingmedium that allow data to be exchanged with a higher degree of security.

2. Description of the Invention

In recent years, there has been proposed a system comprising pieces ofelectronic equipment such as AV apparatuses and personal computersconnected to each other by typically IEEE1394 serial buses wherein datacan be exchanged among the pieces of equipment.

In such a system, for example, the ordinary user can play back movieinformation by using a DVD (Digital Video Disc) player and transmit themovie information to a monitor through the 1394 serial bus to display iton the monitor. The conduct done by the user to display the movieinformation is automatically permitted by the author of the movieinformation normally through a license which was obtained when the userpurchased the DVD of the movie information. In order to do a conduct tocopy the movie information played back from the DVD player to anotherrecording medium such as an optical magnetic disc, however, it isnecessary for the user to obtain a special permission from the author ofthe movie information. In the case of a copy license, typically, theoptical magnetic disc apparatus is also used to store a key forindicating whether or not recording movie information into an opticalmagnetic disc mounted on the apparatus is allowed. That is to say, thekey is used for forming a judgment as to whether or not the opticalmagnetic disc apparatus is a valid apparatus, that is, an apparatuslicensed by the author of the movie information. If the optical magneticdisc apparatus is authenticated as a valid apparatus, the act to recordthe movie information into the apparatus can be judged to be a permittedconduct.

In such a case, it is necessary to verify that the destination apparatusis a valid apparatus in a transfer of information from an apparatustransmitting the information to an apparatus receiving the information,that is, the destination apparatus. It should be noted that theinformation transmitting apparatus and the information receivingapparatus are referred to hereafter as a source and a sink respectively.

FIG. 41 is a diagram showing the ordinary method for authenticating adestination apparatus. As shown in the figure, the source and the sinkare each given a predetermined function f in advance by the author.Stored in a memory of each of the source and sink, the function f isdifficult to identify from its input and output. In addition, it isdifficult for a person who does not know the function f to infer anoutput produced by the function f from an input to the function f. Thefunction f is provided to and stored in only an apparatus licensed bythe author.

The source generates a random number r and transmits the number r to thesink through a 1394 serial bus. The source also applies the function fto the random number r, generating a number x (=f(r)).

Receiving the random number r from the source, the sink applies thefunction f to the random number r, generating a number y (=f(r)). Thesink then transmits the number y to the source.

The source compares the calculated number x with the number y receivedfrom the sink to form a judgment as to whether or not the former isequal to the latter (x=y). If the number x is found equal to the numbery, the source judges the sink to be a valid apparatus. In this case,movie information is encrypted by using a predetermined key before beingtransmitted to the sink.

As the key, a value k generated by applying the function f to the numbery received by the source from the sink f is used (k=f(y)). By the sametoken, the sink also applies the function f to the number y to generatethe value k (=f(y)). The value k is then, on the contrary, used as a keyfor decrypting the encrypted movie information.

In this method, however, it is necessary for all pieces of electronicequipment used as sources and sinks for transmitting and receivinginformation respectively to hold a uniform function f in strictconfidence.

As a result, when the function f held in a piece of electronic is stolenby an unauthorized user, for example, the unauthorized user is capableof generating a key k by monitoring data exchanged by way of a 1394serial bus and is, hence, capable of interpreting or decryptingencrypted data. In this way, the unauthorized user is capable ofillegally stealing information by posing as an authorized user using adesired piece of electronic equipment.

OBJECT AND SUMMARY OF THE INVENTION

The present invention addresses the problems described above. It is anobject of the present invention to further improve security oftransmitted information by preventing an unauthorized user from posingas an authorized user using a desired piece of electronic equipment evenif data required for encrypting or decrypting the information is stolenby the unauthorized user.

The above and other objects, features as well as many of the attendantadvantages of the present invention will become more apparent and willhence be more readily appreciated as the same becomes better understoodfrom a study of the following detailed description of some preferredembodiments with reference to accompanying diagrams showing theembodiments.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the present invention will be described byreferring to diagrams wherein:

FIG. 1 is a block diagram showing a typical configuration of aninformation processing system to which the present invention is applied;

FIG. 2 is a block diagram showing detailed typical configurations of aDVD player 1, a personal computer 2 and an optical magnetic discapparatus 3 in the information processing system shown in FIG. 1;

FIG. 3 is an explanatory diagram used for describing authenticationprocessing;

FIG. 4 is a diagram showing an embodiment implementing an authenticationprocedure for carrying out the authenticating processing shown in FIG.3;

FIG. 5 is a diagram showing the format of a node unique ID;

FIG. 6 is a diagram showing another embodiment implementing theauthentication procedure;

FIG. 7 is a diagram showing a further embodiment implementing theauthentication procedure;

FIG. 8 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 9 is a diagram showing still another embodiment implementing theauthentication procedure;

FIG. 10 is a block diagram showing an embodiment implementing aninformation processing system to which the present invention is appliedwherein a source transmits encrypted data to a plurality of sinks;

FIG. 11 is a block diagram showing a typical configuration of a 1394interface unit 26 employed in a DVD player 1 serving as the source inthe system shown in FIG. 10;

FIG. 12 is a block diagram showing a typical detailed configuration ofthe 1394 interface unit 26 shown in FIG. 11;

FIG. 13 is a block diagram showing a typical detailed configuration ofan LFSR 72 employed in the 1394 interface unit 26 shown in FIG. 12;

FIG. 14 is a block diagram showing a more concrete configuration of theLFSR 72 shown in FIG. 13;

FIG. 15 is a block diagram showing a typical configuration of a 1394interface unit 36 employed in an optical magnetic disc apparatus 3serving as a sink in the system shown in FIG. 10;

FIG. 16 is a block diagram showing a typical detailed configuration ofthe 1394 interface unit 36 shown in FIG. 15;

FIG. 17 is a block diagram showing a typical configuration of a 1394interface unit 49 employed in a personal computer 2 serving as anothersink in the system shown in FIG. 10;

FIG. 18 is a block diagram showing a typical detailed configuration ofthe 1394 interface unit 49 shown in FIG. 17;

FIG. 19 is a block diagram showing a typical configuration of anapplication module 61 employed in the personal computer 2 serving as theother sink in the system shown in FIG. 10;

FIG. 20 is a block diagram showing a typical detailed configuration ofthe application module 61 shown in FIG. 19;

FIG. 21 is a block diagram showing another typical detailedconfiguration of the 1394 interface unit 26 employed in the DVD player 1serving as the source in the system shown in FIG. 10;

FIG. 22 is a block diagram showing another typical detailedconfiguration of the 1394 interface unit 36 employed in the opticalmagnetic disc apparatus 3 serving as the sink in the system shown inFIG. 10;

FIG. 23 is a block diagram showing another typical detailedconfiguration of the 1394 interface unit 49 employed in the personalcomputer 2 serving as the other sink in the system shown in FIG. 10;

FIG. 24 is a block diagram showing another typical configuration of theapplication module 61 employed in the personal computer 2 serving as theother sink in the system shown in FIG. 10;

FIG. 25 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 26 is a diagram showing a continuation procedure to theauthentication procedure shown in FIG. 25;

FIG. 27 is a diagram showing an alternative continuation procedure tothe authentication procedure shown in FIG. 25;

FIG. 28 is a block diagram showing the configuration of anotherembodiment implementing an information processing system to which thepresent invention is applied wherein a source transmits encrypted datato a sink;

FIG. 29 is a block diagram showing a random number generator 903 or 914employed in the source or the sink respectively in the system shown inFIG. 28;

FIG. 30 shows a flowchart representing operations carried out by aprocessing circuit 902 or 913 employed in the source or the sinkrespectively in the system shown in FIG. 28;

FIG. 31 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 32 is a diagram showing the format of a packet;

FIG. 33 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 34 is a block diagram showing a typical configuration of a CBCmode;

FIG. 35 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 36 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 37 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 38 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 39 is a diagram showing a still further embodiment implementing theauthentication procedure;

FIG. 40 is a diagram showing a still further embodiment implementing theauthentication procedure; and

FIG. 41 is a diagram showing the ordinary authentication procedure.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 is a block diagram showing a typical configuration of aninformation processing system to which the present invention is applied.As shown in the figure, in the configuration, a DVD player 1, a personalcomputer 2, an optical magnetic disc apparatus 3, a databroadcasting/receiving apparatus 4, a monitor 5 and a televisionreceiver 6 are connected to each other by an IEEE1394 serial bus 11.

FIG. 2 is a block diagram showing detailed typical configurations of theDVD player 1, the personal computer 2 and the optical magnetic discapparatus 3 in the information processing system shown in FIG. 1. TheDVD player 1 comprises a CPU 21, a ROM unit 22, a RAM unit 23, anoperation unit 24, a drive 25, a 1394 interface unit 26 and an EEPROMunit 27 which are connected to each other by an internal bus 28. Asshown in the figure, the DVD player 1 is connected to the 1394 serialbus 11 through a 1394 interface unit 26. The CPU 21 carries out variouskinds of processing by execution of a program stored in the ROM unit 22.The RAM unit 23 is used for properly storing information such as dataand the program which are required by the CPU 21 in carrying out theprocessing. The operation unit 24 comprises components such as buttons,switches and a remote controller. When the user operates the operationunit 24, a signal representing the operation is generated. The driver 25drives a DVD which is not shown in the figure, playing back datarecorded on the DVD. The EEPROM unit 27 is used for storing informationwhich needs to be stored even after the power supply of the DVD player 1is turned off. In the case of the present embodiment, an example of suchinformation is an encryption/decryption key. The internal bus 28 is usedfor connecting the CPU 21, the ROM unit 22, the RAM unit 23, theoperation unit 24, the drive 25, the 1394 interface unit 26 and theEEPROM unit 27 to each other.

Much like the DVD player 1, the optical magnetic disc apparatus 3comprises a CPU 31, a ROM unit 32, a RAM unit 33, an operation unit 34,a drive 35, a 1394 interface unit 36 and an EEPROM unit 37 which areconnected to each other by an internal bus 38. Since the CPU 31 to theinternal bus 38 have the same functions of the CPU 21 to the internalbus 28 employed in the DVD player 1 respectively, their explanation isnot repeated. The only exception is that the driver 35 drives an opticalmagnetic disc which is not shown in the figure instead of a DVD. Thedriver 35 records and plays back data into and from the optical magneticdisc.

In addition to a CPU 41, a ROM unit 42, a RAM unit 43, a 1394 interfaceunit 49 and an EEPROM unit 50 which are connected to each other by aninternal bus 51, the personal computer 2 also includes an input/outputinterface unit 44, a keyboard 45, a mouse 46, an HDD (Hard Disc Drive)47 and an expansion board 48. The personal computer 2 is connected tothe 1394 serial bus 11 through the 1394 interface unit 49. The CPU 41carries out various kinds of processing by execution of a program storedin the ROM unit 42. The RAM unit 43 is used for properly storinginformation such as data and the program which are required by the CPU41 in carrying out the processing. Connected to the internal bus 51, theinput/output interface unit 44 serves as an interface between the CPU 41and the keyboard 45, the mouse 46, the HDD 47 and the expansion board48. The input/output interface unit 44 passes on signals input from thekeyboard 45 and the mouse 46 connected to the interface unit 44 to theCPU 41 by way of the internal bus 51. Connected to the HDD 47, theinput/output interface unit 44 allows data and a program coming from theinternal bus 51 to be stored into the HDD 47 and, on the contrary, dataand a program stored in the HDD 47 to be read out and forwarded to theinternal bus 51. The expansion board 48 is connected to the input/outputinterface unit 44, if needed, allowing necessary functions to be addedto the personal computer 2. The EEPROM unit 50 is used for storinginformation which needs to be stored even after the power supply of thepersonal computer 2 is turned off. In the case of the presentembodiment, an example of such information is a variety ofencryption/decryption keys. The internal bus 51 is a local bus typicallyimplemented by a PCI (Peripheral Component Interconnect) bus forconnecting the CPU 41, the ROM unit 42, the RAM unit 43, the 1394interface unit 49, the EEPROM unit 50 and the input/output interfaceunit 44 to each other.

It should be noted that the internal bus 51 is designed in anarchitecture open to the user through the input/output interface unit44. That is to say, the user is allowed to connect an additional boardas an expansion board 48 to the input/output interface unit 44, ifrequired, and to write a custom program for the additional board to beinstalled in the personal computer 2. The CPU 41 then executes thecustom program, properly exchanging data with the expansion board 48 byway of the internal bus 51 in order to implement a desired function.

In the case of a consumer electronic (CE) apparatus such as the DVDplayer 1 and the optical magnetic disc apparatus 3, on the contrary,their internal buses 28 and 38 are not designed in an architecture opento the user. Thus, the user is not capable of acquiring data transmittedby way of the internal bus 28 or 38 unless the internal bus 28 or 38 isredesigned specially.

The following is a description of processing of authentication of a sinkcarried out by a source with reference to FIGS. 3 and 4. FIG. 3 is anexplanatory diagram used for describing the authentication processing.As shown in the figure, the processing is typically carried out byfirmware 20 stored as a program in advance in the ROM unit 22 employedin the DVD player 1 serving as the source to authenticate a licensemanager 62 stored in the ROM unit 42 to be executed as a program by theCPU 41 employed in the personal computer 2 serving as the sink.

FIG. 4 is a diagram showing an embodiment implementing a procedurewhereby the source implemented typically by the DVD player 1authenticates the sink implemented typically by the personal computer 2by allowing the sink to generate a sink side common session key havingthe same value as a source side common session key generated by thesource only if the sink is a valid sink. In the EEPROM unit 27 employedin the DVD player 1, a service key and a hash function are stored inadvance. The service key and the hash function are given by an author ofinformation to the user of the DVD player 1 who has to keep them in theEEPROM unit 27 in strict confidence.

The author provides the user with a service key for each piece ofinformation created by the author. The service key is used as a keycommon to all apparatuses connected to each other by the 1394 serial bus11 to compose a system. It should be noted that, in the presentspecification, the term system is used to imply the whole systemcomprising a plurality of apparatuses.

The hash function is used for transforming an input with an arbitrarylength into output data with a fixed length such as 64 bits or 128 bits.Let the transformation be expressed by y=hash (x) where the symbol x isthe input to the hash function and the symbol y is the data output bythe function. In this case, the hash function is such a complex functionthat it is difficult to find the value of x from a given value of y. Thehash function is such a complicated function that it is difficult tofind a pair of x1 and x2 that satisfies the equation hash (x1)=hash(x2). MD5 and SHA are each the name of a function known as arepresentative one-way hash function. For details of the one-way hashfunction, refer to a reference with a title “Applied Cryptography”authored by Bruce Schneier, a second edition published by Wiley.

In the personal computer 2 used as a typical sink in the example shownin FIG. 4, on the other hand, an ID unique to the electronic apparatus,that is, the personal computer 2 in this case, and a license keyprovided in advance by the author of information are stored in strictconfidence in the EEPROM unit 50. This node (apparatus) unique ID isnormally assigned to the electronic apparatus by the manufacturer ofelectronic equipment as will be described later. The license key is avalue resulting from application of the hash function to (n+m)-bit datawhich is obtained by concatenating the n-bit ID with the m-bit servicekey. Thus, the license key can be expressed by the following equation:license_key=hash(ID∥service_key)where the notation “ID∥service_key” represents a concatenation of the IDwith the service key.

A node_unique_ID determined by specifications of the 1394 bus 11 can betypically used as an ID. FIG. 5 is a diagram showing the format of thenode unique ID. As shown in the figure, the node unique ID comprises 8bytes (or 64 bits). The first 3 bytes are controlled by the IEEE andgiven by the IEEE to a manufacturer of electronic equipment as a numberunique to the manufacturer. On the other hand, the low-order 5 bytes canbe assigned by the manufacturer of electronic equipment itself to anelectronic apparatus sold to the user. Typically, each value of thewhole low-order 5 bytes are assigned by the electronic equipment makerto an electronic apparatus as a serial number of the apparatus. Sincethe high-order 3 bytes have a value unique to the manufacturer ofelectronic equipment, the node_unique_ID is unique to each of electronicapparatuses without regard to whether the apparatuses are produced bythe same manufacturer or different manufacturers.

As shown in FIG. 4, the procedure begins with a step S1 at which thefirmware 20 in the DVD player 1 controls the 1394 interface unit 26 tomake a request to the personal computer 2 for the ID thereof to betransmitted by way of the 1394 serial bus 11. Then, the procedure goeson to a step S2 at which the license manager 62 of the personal computer2 receives the request for the ID. To put it in detail, the 1394interface unit 49 employed in the personal computer 2 passes on therequest for the ID transmitted by the DVD player 1 by way of the 1394serial bus 11 to the CPU 41. The procedure then proceeds to a step S3 atwhich the license manager 62 being executed by the CPU 41 reads out theID from the EEPROM unit 50 in accordance with the request forwardedthereto by the 1394 interface unit 49 and transmits the ID to the DVDplayer 1 by way of the 1394 interface unit 49 and the 1394 serial bus11.

Then, the procedure continues to a step S4 at which the 1394 interfaceunit 26 employed in the DVD player 1 receives the ID and passes on it tothe firmware 20 being executed by the CPU 21.

Subsequently, the procedure goes on to a step S5 at which the firmware20 concatenates the ID received from the personal computer 2 with aservice key stored in the EEPROM unit 27 to form data (ID∥service_key).Then, a license key lk is computed by applying the hash function to thedata (ID∥service_key) as shown in the following equation:lk=hash(ID∥service_key)

The procedure then proceeds to a step S6 at which the firmware 20generates a source side common session key sk, details of which will bedescribed later. The source side common session key sk will be used as acommon session key S by both the DVD player 1 to encrypt a clear text tobe transmitted and by the personal computer 2 to decrypt an encryptedtext received from the DVD player 1.

Then, the procedure continues to a step S7 at which the firmware 20encrypts the source side common session key sk generated at the step S6by using the license key lk computed at the step S5 as a key to producean encrypted source side common session key e in accordance with thefollowing equation:e=Enc(lk,sk)

It should be noted that the expression Enc (A, B) on the right hand sideof the above equation represents a common session keyencryption/decryption technique whereby data B is encrypted by using akey A to produce an encrypted source side common session key e on theleft hand side of the equation.

Subsequently, the procedure goes on to a step S8 at which the firmware20 transmits the encrypted source side common session key e generated atthe step S7 to the personal computer 2. To put it in detail, theencrypted source side common session key e is transmitted by the 1394interface unit 26 employed in the DVD player 1 to the personal computer2 by way of the 1394 serial bus 11. The procedure then proceeds to astep S9 at which the 1394 interface unit 49 employed in the personalcomputer 2 receives the encrypted source side common session key e.Then, the license manager 62 decrypts the encrypted source side commonsession key e passed on thereto by the 1394 interface unit 49 by using alicense key provided in advance by the author of information and storedin the EEPROM unit 50 as a key to produce a sink side common session keysk′ in accordance with the following equation:sk′=Dec(license_key,e)

It should be noted that the expression Dec (A, B) on the right hand sideof the above equation represents the common session keyencryption/decryption technique whereby encrypted data B is in this casedecrypted by using a key A to produce a sink side common session key sk′on the left hand side of the equation.

It is also worth noting that a DES algorithm is known as a dataencrypting/decrypting algorithm adopted in the common session keyencryption/decryption technique which is also described in detail in thesecond edition of the reference with the title “Applied Cryptography”cited above.

The license key provided by the author of information and stored in theEEPROM unit 50 employed in the personal computer 2 in advance has avalue which was computed by the author by using the same hash functionas license the key lk was generated by the DVD player 1 at the step S5.That is to say, the following equation holds true:lk=license_key

Thus, based on the common source side common session keyencryption/decryption technique using the same (license) key, thedecryption carried out by the personal computer 2 at the step S10 isjust a reversed process of the encryption performed by the DVD player 1at the step S7. As a result, since e is the encrypted data of the sourceside common session key sk generated by the DVD player 1 at the step S6,the sink side common session key sk′ computed by the personal computer2, that is, a result of the decryption of the encrypted source sidecommon session key e, is equal to the source side common session key sk.That is to say, the following equation holds true:sk′=sk

In this way, since the source and sink side common session keys sk andsk′ have the same value, the source implemented typically by the DVDplayer 1 and the sink implemented typically by the personal computer 2can share a common session key S. For this reason, the DVD player 1 canuse the key sk as an encryption key as it is to encrypt a clear textcreated by the author to be transmitted to the personal computer 2. Bythe same token, the personal computer 2 can use the sink side commonsession key sk′ as a decryption key as it is to decrypt an encryptedtext received from the DVD player 1. As an alternative, the DVD player 1generates a pseudo random number to be used as an encryption key byusing the source side common session key sk as a base as will bedescribed later. Likewise, the personal computer 2 generates a randomnumber to be used as a decryption key by using the sink side commonsession key sk′ as a base as will also be described later.

As described above, the license key lk is generated at the step S5 ofthe procedure shown in FIG. 4 by applying the hash function to aconcatenation of an ID unique to a particular electronic apparatus and aservice key provided for a text created by the author. Thus, in a pairof electronic apparatuses wherein the source does not have the servicekey for the text and/or the sink does not have the ID unique to thelegal owner, it is impossible to generate the correct license key lk(Refer to the step S5 of the procedure shown in FIG. 4). In addition, anelectronic apparatus not authenticated by the author is not providedwith a license key and, thus, not capable of generating the session keysk′ (Refer to the step S10 of the procedure shown in FIG. 4). In anormal case, after the procedure shown in FIG. 4 is completed, the DVDplayer 1 encrypts reproduced data or a clear text by using the sourceside common session key sk and transmits the encrypted data or theencrypted text to the personal computer 2. Provided with a correctlicense key, the personal computer 2 is capable of generating the sinkside common session key sk′ (Refer to the step S10 of the procedureshown in FIG. 4). The personal computer 2 is thus capable of decryptingthe encrypted playback data or the encrypted text received from the DVDplayer 1 by means of the sink side common session key sk′. If thepersonal computer 2 is not a licensed electronic apparatus, however, itwill be impossible to generate the sink side common session key sk′because the correct license key is not available. As a result, theunlicensed personal computer 2 is not capable of decrypting theencrypted playback data or the encrypted text received from the DVDplayer 1. In other words, only a sink capable of generating a sink sidecommon session key sk′ having the same value as the source side commonsession key sk generated by the source is authenticated in the end. Thisis because only a particular electronic apparatus serving as anauthorized source which has a service key provided by an author forinformation or a text created by the author and receives a correct IDfrom an authorized sink is capable of generating the correct license keylk. By the same token, only a particular electronic apparatus serving asan authorized sink which is provided with the correct license key by theauthor is capable of generating the correct sink side common session keysk′ for use as a decryption key to decrypt encrypted data or anencrypted text.

Assume that a license key granted to a personal computer 2 is stolen byany chance. In this case, nevertheless, the stolen license key can notbe used in another electronic apparatus to generate a valid sink sidecommon session key sk′ because the other apparatus has an ID differentfrom that assigned to the personal computer 2. Since the ID varies fromapparatus to apparatus as such, another electronic apparatus will not becapable of decrypting the encrypted playback data or the encrypted textreceived from the DVD player 1 by means of the stolen license key. As aresult, the security of transmitted information can be enhanced.

By the way, an unauthorized user may know both the encrypted source sidecommon session key e and the source side common session key sk by anychance for some reasons. In this case, since the encrypted source sidecommon session key e is a kind of text resulting from encryption of thesource side common session key sk using the license key lk, it is quitewithin the bounds of possibility that the unauthorized user is capableof obtaining the correct value of the license key lk by using all valuesof the license key lk in the encryption of the source side commonsession key sk using the license key lk to calculate the encryptedsource side common session key e on a trial-and-error basis providedthat the algorithm of the encryption is disclosed.

In order to prevent an unauthorized user from launching such a kind ofattack, the process to reversely derive a license key from a knownencrypted source side common session key e and a known source sidecommon session key sk can be made difficult by keeping the algorithm ofthe encryption in strict confidence, that is, by not disclosing part orall of the encryption algorithm to the public.

By the same token, a process to reversely derive a service key from aknown license key and an ID by using all values of the service key andthe known ID in a hash function to produce the known license key on atrial-and-error basis can be made complicated by keeping the hashfunction in strict confidence, that is, by not disclosing part or all ofthe hash function to the public.

FIG. 6 is a diagram showing another embodiment implementing anauthentication procedure whereby a source implemented typically by theDVD player 1 authenticates two sinks implemented typically by thepersonal computer 2 and the optical magnetic disc apparatus 3respectively by allowing each of the sinks to generate a sink sidecommon session key having the same value as a source side common sessionkey generated by the source only if the sinks are valid sinks.

In the EEPROM unit 50 employed in the personal computer 2 serving as thefirst sink, ID 1, an identification assigned in advance uniquely by amanufacturer of electronic equipment to the personal computer 2, andLicense Key 1, a license key provided in advance by an author ofinformation to the computer 2 are stored. By the same token, in theEEPROM unit 37 employed in the optical magnetic disc apparatus 3 servingas the second sink, ID 2, an ID assigned in advance uniquely by amanufacturer of electronic equipment to the disc apparatus 3, andLicense Key 2, a license key provided in advance by the author ofinformation to the disc apparatus 3 are stored.

Since pieces of processing carried out at the steps S11 to S20 by theDVD player l serving as the source and the personal computer 2 servingas the first sink are in essence the same as those of the steps S1 toS10 of the procedure shown in FIG. 4, their explanation is not repeated.

In brief, the personal computer 2 generates a valid sink side commonsession key sk1′ from an encrypted source side common session key e1received from the DVD player 1 at the step S20 as described above. Theprocedure then goes on to a step S21 at which the firmware 20 in the DVDplayer 1 controls the 1394 interface unit 26 to make a request to theoptical magnetic disc apparatus 3 for the ID thereof to be transmittedby way of the 1394 serial bus 11. Then, the procedure goes on to a stepS22 at which firmware 30 of the optical magnetic disc apparatus 3 shownin FIG. 10 receives the request for the ID. To put it in detail, the1394 interface unit 36 employed in the optical magnetic disc apparatus 3passes on the request for the ID transmitted by the DVD player 1 by wayof the 1394 serial bus 11 to the CPU 31. The procedure then proceeds toa step S23 at which the firmware being executed by the CPU 31 reads outthe identification ID2 from the EEPROM unit 37 in accordance with therequest forwarded thereto by the 1394 interface unit 36 and transmitsthe identification ID2 to the DVD player 1 by way of the 1394 interfaceunit 36 and the 1394 serial bus 11.

Then, the procedure continues to a step S24 at which the 1394 interfaceunit 26 employed in the DVD player 1 receives the identification ID2 andpasses on it to the firmware 20 being executed by the CPU 21.

Subsequently, the procedure goes on to a step S25 at which the firmware20 concatenates the identification ID2 received from the opticalmagnetic disc apparatus 3 with a service key stored in the EEPROM unit27 to form data (ID2∥service_key). Then, a license key lk2 is computedby applying the hash function to the data (ID2∥service_key) as shown inthe following equation:lk2=hash(ID2∥service_key)

Then, the procedure continues to a step S26 at which the firmware 20encrypts the source side common session key sk generated at the step S16by using the license key lk2 computed at the step S25 as a key toproduce an encrypted source side common session key e2 in accordancewith the following equation:e2=Enc(lk2,sk)

Subsequently, the procedure goes on to a step S27 at which the firmware20 transmits the encrypted source side common session key e2 generatedat the step S26 to the optical magnetic disc 3. To put it in detail, theencrypted source side common session key e2 is transmitted by the 1394interface unit 26 employed in the DVD player 1 to the optical magneticdisc apparatus 3 by way of the 1394 serial bus 11.

The procedure then proceeds to a step S28 at which the 1394 interfaceunit 36 employed in the optical magnetic disc 3 receives the encryptedsource side common session key e2. Then, the procedure proceeds to astep S29 at which the firmware 30 decrypts the encrypted source sidecommon session key e2 passed on thereto by the 1394 interface unit 36 byusing a license key (license_key 2) stored in the EEPROM unit 37 as akey to produce a sink side common session key sk2′ in accordance withthe following equation:sk2′=Dec(license_key 2,e2)

As described above, the personal computer 2 and the optical magneticdisc apparatus 3 generate the sink side common session keys sk1′ andsk2′ at the steps S20 and S29 respectively. Normally, the sink sidecommon session keys sk1′ and sk2′ have the same value as the source sidecommon session key sk generated by the DVD player 1 at the step S16.

In the procedure shown in FIG. 6, the DVD player 1 makes requests for anID to the personal computer 2 and the optical magnetic disc apparatus 3separately. It should be noted, however, that in the case ofbroadcasting communication wherein requests can be made at the sametime, processing according to an embodiment implementing a procedurelike one shown in FIG. 7 can be carried out.

As shown in the figure, the procedure begins with a step S41 at whichthe DVD player 1 transmits requests to all sinks, that is, the personalcomputer 2 and the optical magnetic disc apparatus 3, for the IDsthereof by broadcasting communication. Then, the procedure goes on tosteps S42 and S43 at which the personal computer 2 and the opticalmagnetic disc apparatus 3 respectively receive the requests for the IDs.The procedure then proceeds to steps S44 and S45 at which the personalcomputer 2 and the optical magnetic disc apparatus 3 read out theidentifications ID1 and ID2 from the EEPROM units 50 and 37 respectivelyand transmit them to the DVD player 1. Then, the procedure continues tosteps S46 and S47 at which the DVD player 1 receives the identificationsID1 and ID2 respectively.

Subsequently, the procedure goes on to a step S48 at which the DVDplayer 1 concatenates the identification ID1 received from the personalcomputer 2 with a service key stored in the EEPROM unit 27 to form data(ID1∥service_key). Then, a license key lk1 is computed by applying thehash function to the data (ID1∥service_key) as shown in the followingequation:lk1=hash(ID1∥service_key)

Subsequently, the procedure goes on to a step S49 at which the DVDplayer 1 concatenates the identification ID2 received from the opticalmagnetic disc apparatus 3 with the service key stored in the EEPROM unit27 to form data (ID2∥service_key). Then, a license key lk2 is computedby applying the hash function to the data (ID2∥service_key) as shown inthe following equation:lk2=hash(ID2∥service_key)

The procedure then proceeds to a step S50 at which the DVD player 1generates a source side common session key sk. Then, the procedurecontinues to a step S51 at which the DVD player 1 encrypts the sourceside common session key sk generated at the step S50 by using thelicense key lk1 computed at the step S48 as a key to produce anencrypted source side common session key e1 in accordance with thefollowing equation:e1=Enc(lk1,sk)

Then, the procedure continues to a step S52 at which the DVD player 1encrypts the source side common session key sk generated at the step S50by using the license key lk2 computed at the step S49 as a key toproduce an encrypted source side common session key e2 in accordancewith the following equation:e2=Enc(lk2,sk)

The procedure then goes on to a step S53 at which the identificationID1, the encrypted source side common session key e1, the identificationID2 and the encrypted source side common session key e2 are concatenatedto produce an encrypted source side common session key e as follows:e=ID1∥e1∥ID2∥e2

Subsequently, the procedure goes on to a step S54 at which the DVDplayer 1 transmits the encrypted source side common session key e to thepersonal computer 2 and the optical magnetic disc apparatus 3 bybroadcasting communication. The procedure then proceeds to steps S55 andS56 at which the personal computer 2 and the optical magnetic discapparatus 3 receive the encrypted source side common session key e.Then, the procedure proceeds to steps S57 and S58 at which the personalcomputer 2 and the optical magnetic disc apparatus 3 decrypt theencrypted source side common session keys e1 and e2 extracted from theencrypted source side common session key e by using the license keysLicense Key 1 and License Key 2 stored in the EEPROM units 50 and 37 askeys to produce sink side common session keys sk1′ and sk2′ respectivelyin accordance with the following equations:sk1′=Dec(License_key 1,e1)sk2′=Dec(License_key 2,e2)

FIG. 8 is a diagram showing an embodiment implementing a procedure ofauthentication processing whereby only a valid sink will generate a sinkside common session key sk′ having the same value as a source sidecommon session key sk generated by a source in a system wherein the sinkis capable of rendering a plurality of services, that is, decrypting aplurality of kinds of information. To handle the different kinds ofinformation, the personal computer 2 serving as the sink is providedwith a plurality of license keys stored in the EEPROM unit 50 such asLicense_key 1, License_key 2, License_key 3 etc. for the different kindsof information. By the same token, the DVD player 1 serving as a sourcehas information on a plurality of service IDs for identifying whichkinds of information to be transmitted to the sink and a plurality ofservice keys stored in the EEPROM unit 27 such as Service_key 1,Service_key 2, Service_key 3 etc. used for generating License_key 1,License_key 2, License_key 3 etc. respectively. Pieces of processingcarried out in the procedure shown in FIG. 8 are similar to those of theprocedure shown in FIG. 4 except for the following steps. To begin with,at a step S81, the DVD player 1 transmits a request for an ID along witha service ID for identifying a kind of information, which is to beserviced by the personal computer 2 used as the sink, to the personalcomputer 2. Then, at a step S85, a license key lk is generated by theDVD player 1 by application of the hash function to an ID received fromthe personal computer 2 and one of Service_key 1, Service_key 2,Service_key 3 etc. in the EEPROM unit 27 which is associated with thekind of information to be transmitted to the sink, that is, associatedwith the service ID transmitted to the personal computer 2 at the stepS81. Finally, at a step S90, the personal computer 2 generates a sinkside common session key sk′ from an encrypted source side common-sessionkey e received from the DVD player 1 at a step 89 and one of License_key1, License_key 2, License_key 3 etc. in the EEPROM unit 50 that isassociated with the service ID received from the DVD player 1 at thestep S82.

FIG. 9 is a diagram showing another embodiment implementing a procedureof authentication whereby only a valid sink will be capable ofgenerating a sink side common session key sk′ having the same value as asource side common session key sk generated by a source. In this case,the DVD player 1 used as a source has a service key, a hash function anda pseudo random number generating function pRNG which are stored in theEEPROM unit 27 employed thereby. The service key, the hash function andthe pseudo random number generating function pRNG are given by an authorof information and kept in strict confidence. On the other hand, storedin the EEPROM unit 50 employed by the personal computer 2 serving as asink are an ID assigned to the personal computer 2 by the manufacturerof electronic equipment as well as license keys LK and LK′, a confusionfunction G and the pseudo random number generating function pRNG whichare given by the author of the information.

The license key LK is a unique random number generated by the authorwhereas the license key LK′ is also generated by the author so as tosatisfy the following equation:LK′=G^−1(R)

-   where R=pRNG (H) (+) pRNG (LK)-   where H=hash ((ID∥service_ey)

It should be noted that, while the symbol ^ alone denotes the powernotation, the notation ‘G^−1’ means the inverse function of theconfusion function G. The value of the inverse function G^−1 can befound with ease provided that predetermined rules are known. If thepredetermined rules are not known, however, it is difficult to computethe value of the inverse function G^−1. A function used in encryptionbased on a disclosed key can be utilized as this function.

In addition, the function pRNG for generating a random number can beimplemented by hardware.

As shown in FIG. 9, the procedure begins with a step S101 at which thefirmware20 in the DVD player 1 makes a request to the license manager 62of the personal computer 2 for the ID thereof to be transmitted. Then,the procedure goes on to a step S102 at which the license manager 62 ofthe personal computer 2 receives the request for the ID. The procedurethen proceeds to a step S103 at which the license manager 62 reads outthe ID from the EEPROM unit 50 in accordance with the request andtransmits the ID to the DVD player 1. Then, the procedure continues to astep S104 at which the DVD player 1 receives the ID.

Subsequently, the procedure goes on to a step S105 at which thefirmware20 concatenates the ID received from the personal computer 2with a service key stored in the EEPROM unit 27 to form data(ID∥service_key). Then, a value H is computed by applying the hashfunction to the data (ID∥service_key) as shown in the followingequation:H=hash(ID∥service_key)

The procedure then proceeds to a step S106 at which the firmware20generates a source side common session key sk. Then, the procedurecontinues to a step S107 at which the firmware20 compute an encryptedsource side common session key e from the value H generated at the stepS105 and the source side common session key sk generated at the stepS106 in accordance with the following equation:e=sk(+)pRNG(H)where the notation (+) used on the right hand side of the above equationis the operator of the operation to compute an exclusive logical sumand, thus, an expression A (+) B represents the exclusive logical sum ofA and B.

That is to say, at the step S107, the source side common session key skgenerated at the step S106 is encrypted to produce the encrypted sourceside common session key e by finding the exclusive logical sum of eachbit of the key sk and the corresponding bit of pRNG (H), a random numberobtained by applying the pseudo random number generating function pRNGto the value H generated at the step S105.

Subsequently, the procedure goes on to a step S108 at which thefirmware20 transmits the encrypted source side common session key egenerated at the step S107 to the personal computer 2.

The procedure then proceeds to a step S109 at which the personalcomputer 2 receives the encrypted source side common session key e.Then, the procedure proceeds to a step S110 at which the license manager62 decrypts the encrypted source side common session key e by using thelicense keys LK and LK′ stored in the EEPROM unit 50 as keys to producea sink side common session key sk′ in accordance with the followingequation:sk′=e(+)G(LK′)(+)pRNG(LK)

That is to say, at the step S110, the encrypted source side commonsession key e received from the DVD player 1 is decrypted to produce thesink side common session key sk′ by finding the exclusive logical sum ofthe encrypted source side common session key e, G (LK′), a valueobtained by applying the confusion function G stored in the EEPROM unit50 to the license key LK′ also stored in the EEPROM unit 50, and pRNG(LK), a value obtained by applying the pseudo random number generatingfunction pRNG also stored in the EEPROM unit 50 to the license key LKalso stored in the EEPROM unit 50.

Much like the procedure shown in FIG. 4, the sink side common sessionkey sk′ generated by the personal computer 2 at the step S110 has thesame value as the source side common session key sk generated by the DVDplayer 1 at the step S6. The fact that sk=sk′ is proven by thefollowing:sk′=e(+)G(LK′)(+)pRNG(LK)

Substituting (sk (+) pRNG (H)) for e in the expression on the right handside of the above equation yields the following equation:

sk^(′) = sk(+)pRNG(H)(+)G(LK^(′))(+)pRNG(LK)Since G(LK′)=G(G^−1 (R))=R, the following equation is obtained:

sk^(′) = sk(+)pRNG(H)(+)R(+)pRNG(LK)Substituting (pRNG (H) (+) pRNG (LK)) for R in the expression on theright hand side of the above equation yields the following equation:

$\begin{matrix}{{sk}^{\prime} = {{{sk}( + )}{{pRNG}(H)}( + ){{pRNG}(H)}( + ){{pRNG}({LK})}( + ){{pRNG}({LK})}}} \\{= {sk}}\end{matrix}$

As described above, the source and sink side common session keys sk andsk′ are a common key S shared by both the DVD player 1 and the personalcomputer 2 serving as a source and a sink respectively. In addition,unlike the procedures described previously, it is only an author ofinformation who is capable of generating license keys LK and LK′. Thus,an attempt made by a source to illegally generate the license keys LKand LK′ will end in a failure. As a result, the security of transmittedinformation can be further improved.

In the authentication procedures described above, a source authenticatesa sink by allowing the sink to generate a sink side common session keysk′ having the same value as a source side common session key skgenerated by the source only if the sink is a valid sink. The procedurecan also be applied for example to authenticate the ordinary operationto load an application program in the personal computer 2 in order toprevent an application program obtained illegally from being executed.In this case, it is necessary to form a judgment as to whether or notexecution of each application program is allowed by the author of theprogram through the same procedure as those described so far whereby thelicense manager 62 authenticates an application module 61 as shown inFIG. 3. To be more specific, in the authentication procedure shown inFIG. 3, the license manager 62 serves as a source whereas theapplication module 61 is used as a sink.

After the authentication process described above has been completed,that is, after the sink has generated a sink side common session key sk′having the same value as a source side common session key sk generatedby the source, data or a clear text encrypted by the source by using anencryption key is transmitted to the sink from the source. At the sink,the encrypted data or the encrypted text is decrypted back by using adecryption key. As described above, the source and sink side commonsession keys sk and sk′ can be used as encryption and decryption keysrespectively as they are or, as an alternative, a random numbergenerated from the session key sk or sk′ is used as an encryption ordecryption key instead. The operation carried out by the source toencrypt data and the operation carried out by the sink to decrypt theencrypted data are explained as follows.

In an electronic apparatus such as the DVD player 1 and the opticalmagnetic disc apparatus 3, the internal functions of which are not builtin an architecture open to the user, the processing to encrypt anddecrypt data transmitted through the 1394 serial bus 11 in a system likeone shown in FIG. 10, a block diagram showing a system wherein a sourcetransmits encrypted data to sinks, is carried out by the 1394 interfaceunits 26 and 36 employed in the DVD player 1 and the optical magneticdisc apparatus 3 respectively. Data is encrypted or decrypted by usingby using a session key S, that is, the source side common session key skor the sink side common session key sk′ described earlier, and a timevariable key i, strictly speaking, a key i′ for generating the timevariable key i. The session key S and the key i′ are supplied by thefirmware20 or 30 to the 1394 interface unit 26 or 36 respectively. Thesession key S comprises an initial value key Ss used as an initial valueand a derangement key Si for deranging the time variable key i. Theinitial value key Ss and the derangement key Si can be formedrespectively from a predetermined number of high order bits and apredetermined number of low order bits of the source side common sessionkey sk or the sink side common session key sk′ which has the same valueas sk used in the process of authenticating the sink described earlier.The session key S is properly updated in each session, for example, foreach movie information or for each playback operation. On the otherhand, the time variable key i which is generated from the derangementkey Si of the session key S and the key i′ is updated a number of timesin a session. For example, time information obtained with predeterminedtiming can be used typically as the key i′.

Assume that movie data played back and output by the DVD player 1serving as a source is transmitted to the optical magnetic discapparatus 3 and the personal computer 2 which are used as sinks by wayof the 1394 serial bus 11 and is then decrypted by the sinks. In thiscase, the data is encrypted by the 1394 interface unit 26 employed inthe DVD player 1 by using the session key S and the time variable key i,strictly speaking, the key i′ and the encrypted data is decrypted backby the 1394 interface unit 36 employed in the optical magnetic discapparatus 3 by using the session key S and the time variable key i,strictly speaking, the key i′.

In the personal computer 2, on the other hand, the license manager 62supplies the initial value key Ss of the session key S to theapplication module 61 and the derangement key Si of the session key Sand the time variable key i, strictly speaking, the key i′ forgenerating the time variable key i, to the 1394 interface unit 49serving as a link unit. In the 1394 interface unit 49, the time variablekey i is generated from the derangement key Si and the key i′ and usedfor decrypting back the encrypted data. The decrypted data is furtherdecrypted by the application module 61 by using the session key S,strictly speaking, by using the initial value key Ss of the session keyS.

As described above, in the personal computer 2 having an architecturewherein the internal bus 51 is designed in an architecture open to theuser, the 1394 interface unit 49 carries out only a 1st stage of thedecryption on the encrypted data, leaving the data still in an encryptedstate. Then, the application module 61 further performs a 2nd stage ofthe decryption on the data decrypted by the 1394 interface unit 49 toproduce the clear text. In this way, the personal computer 2 isprohibited from copying data (that is, a clear text) transferred by wayof the internal bus 51 to another medium such as a hard disc mounted onthe hard disc drive 47 through the use of a proper function added to theinternal bus 51.

As described above, according to the embodiment of the presentinvention, in a CE apparatus with-an architecture wherein an internalbus is not open to the user, encrypted data is decrypted only once byusing a session key S and a time variable key i, strictly speaking, akey i′. In the case of a CE apparatus such as the personal computer 2with an architecture wherein an internal bus is open to the user, on theother hand, encrypted data is decrypted by using a time variable key i,which is generated by using the derangement key Si of a session key Sand the key i′, at a 1st stage of decryption, and then further decryptedby using the initial value Ss of the session key S at a 2nd stage ofdecryption. The1st and 2nd stages of the decryption processing arerepresented by the following equation:Dec(Ss,Dec(i,Enc(algo(S+i′),Data)))=Datawhere the term algo (S+i′) appearing on the left hand side of the aboveequation represents a value resulting from application of apredetermined algorithm to the session key S and the time variable keyi, strictly speaking, the key i′, the notation Dec appearing at the leftend of the equation represents the 2nd stage of the decryption, theother Dec notation denotes the 1st stage of decryption and the notationEnc indicates the encryption carried out by the source.

FIG. 11 is a block diagram showing a typical configuration of the 1394interface unit 26 that satisfies the term Enc appearing in the equationgiven above to represent the encryption carried out by the DVD player 1employing the 1394 interface unit 26. As shown in the figure, theconfiguration comprises an additive generator 71, an LFSR (LinearFeedback Shift Register) 72, a shrink generator 73 and an adder 74.m-bit data generated by the additive generator 71 and 1-bit datagenerated by the LFSR are supplied to the shrink generator 73. Theshrink generator 73 selects some pieces of m-bit data received from theadditive generator 71 in accordance with the value of the 1-bit datasupplied by the LFSR 72 and outputs the selected m-bit data to the adder74 as an encryption key. It should be noted that the m-bit encryptionkey, a random number generated by the shrink generator 73, correspondsthe key (S+i′) in the equation given above. The adder 74 adds the m-bitencryption key received from the shrink generator 73 to an input cleartext, that is, m-bit data to be transmitted to the 1394 serial bus 11,to produce an encrypted text or encrypted data.

The addition carried out by the adder 74 is a mod 2^m process, where thesymbol ^ is the power notation, meaning addition of the encryption keygenerated by the shrink generator 73 to the clear text. In other words,the process is addition of an m-bit key to m-bit data with a carry-overignored.

FIG. 12 is a block diagram showing a detailed configuration of the 1394interface unit 26 which is shown in FIG. 11 in a simple and plainmanner. As shown in FIG. 12, the initial value key Ss of the session keyS received from the firmware20 is supplied to and held in a register 82by way of the adder 81. Typically, the initial value key Ss comprises 55words each having a length in the range 8 to 32 bits. On the other hand,the derangement key Si of the session key S is held in a register 85.Typically, the derangement key Si is the low order 32 bits of thesession key S.

The key i′ is held in a 32-bit register 84. The key i′ is created in aprocess of accumulation of bits. To put it in detail, each time a packetis transmitted through the 1394 serial bus 11, typically, two bits usedfor forming the key i′ are supplied to the register 84. The creation ofthe 32-bit key i′ is completed as 16 packets are transmitted. At thattime, the 32-bit key i′ is added to the derangement key Si held in theregister 85 by an adder 86 to finally generate a time variable key iwhich is supplied to the adder 81. The adder 81 adds the time variablekey i output by the adder 86 to the initial value key Ss held in theregister 82, storing the result of the addition back in the register 82.

Assume that the number of bits per word in the register 82 is 8. In thiscase, since the time variable key i output by the adder 86 is 32 bits inwidth, the time variable key i is divided into 4 portions eachcomprising 8 bits. Each of the 4 portions is then added to a word in theregister 82 at a predetermined address, that is, at one of the addresses0 to 54.

As described above, the initial value key Ss is held initially in theregister 82. Each time16 packets of an encrypted text are transmittedthereafter, however, the initial value Ss is updated by adding the timevariable key i thereto.

An adder 83 selects predetermined two words among the 55 words of theregister 82 and adds the selected two words to each other. With timingshown in FIG. 12, words at addresses 23 and 54 are selected by the adder83. The adder 83 supplies the result of the addition to the shrinkgenerator 73 and a word in the register 82. With the timing shown inFIG. 12, the adder 83 supplies the result of the addition to the word ofthe register 82 at an address 0 to replace the data currently stored inthe word.

At the next timing, the two words selected by the adder 83 are changedfrom the addresses 54 and 23 to addresses 53 and 22, being shifted inthe upward direction shown in the figure by 1 word. By the same token,the destination of the result of the addition output by the adder 83 isalso shifted upward. Since there is no word above address 0, however,the destination is changed from the word at address 0 to the word ataddress 54 at the bottom of the register 82.

It should be noted that, in each of the adders 81, 83 and 86, processingto compute an exclusive logical sum can be carried out instead.

FIG. 13 is a block diagram showing a typical configuration of the LFSR72. As shown in the figure, the LFSR 72 comprises an n-bit shiftregister 101 and an adder 102 for summing up the values of apredetermined number of bits among the n bits. A bit resulting from theaddition by the adder 102 is stored in the left most bit b_(n) of then-bit shift register 101 shown in the figure and, at the same time, theprevious value of the bit b_(n) is shifted to a bit b_(n−1) on the righthand side of the bit b_(n). By the same token, the bit shifting to theright is applied to the previous values of bits b_(n−1), b_(n−2), - - -, etc. whereas the previous value of the right most bit b₁ shown in thefigure is output. At the next timing, a bit resulting from the additionby the adder 102 is again stored in the left most bit b_(n) of the n-bitshift register 101 and, at the same time, the previous value of the bitb_(n) is again shifted to a bit b_(n−1) on the right hand side of thebit b_(n). By the same token, the bit shifting to the right is gainapplied to the previous values of bits b_(n−1), b_(n−2), - - - , etc.whereas the previous value of the right most bit b₁ is again output.These operations are carried out repeatedly, sequentially outputtingbits from the right most bit b₁ one bit after another.

FIG. 13 is a diagram showing a typical configuration of the LFSR 72 ingeneral terms. On the other hand, FIG. 14 is a diagram showing a typicalconfiguration of the LFSR 72 in more concrete terms. In theconfiguration shown in FIG. 14, the shift register 101 comprises 31bits. The adder 102 is used for adding the value of the left most bitb₃₁ to the value of the right most bit b₁ and storing the result of theaddition in the left most bit 31 of the shift register 101.

As shown in FIG. 12, the shrink generator 73 comprises a conditionjudging unit 91 and a FIFO unit 92. The condition judging unit 91 passeson m-bit data supplied by the adder 83 employed in the additivegenerator 71 to the FIFO unit 92 to be held therein as it is when theLFSR 72 outputs a bit having the logic value “1”. When the LFSR 72outputs a bit having the logic value “0”, on the other hand, thecondition judging unit 91 does not pass on m-bit data supplied by theadder 83 employed in the additive generator 71 to the FIFO unit 92,suspending the encryption process. In this way, the condition judgingunit 91 employed in the shrink generator 73 selects only pieces of m-bitdata which are each generated by the additive generator 71 while theLFSR 72 is outputting a bit with the logic value “1” and stores theselected piece of m-bit data in the FIFO unit 92 of the generator 73.

Each piece of m-bit data held in the FIFO unit 92 is supplied as anencryption key to the adder 74 for generating an encrypted text byadding the encryption key to data representing a clear text to betransmitted to a sink, that is, data played back from a DVD in thesource.

The encrypted data is then transmitted from the DVD player 1 to theoptical magnetic disc apparatus 3 and the personal computer 2 by way ofthe 1394 serial bus 11.

FIG. 15 is a diagram showing a typical configuration of the 1394interface unit 36 employed in the optical magnetic disc apparatus 3 fordecrypting the encrypted data received from the DVD player 1 by way ofthe 1394 serial bus 11. As shown in the figure, much like the 1394interface unit 26 employed in the DVD player 1 shown in FIG. 11, theconfiguration comprises an additive generator 171, an LFSR (LinearFeedback Shift Register) 172, a shrink generator 173 and a subtractor174. m-bit data generated by the additive generator 171 and 1-bit datagenerated by the LFSR 172 are supplied to the shrink generator 173. Theshrink generator 173 selects some pieces of m-bit data received from theadditive generator 171 in accordance with the value of the 1-bit datasupplied by the LFSR 172 and outputs the selected m-bit data to thesubtractor 174 as a decryption key. The subtractor 174 subtracts them-bit decryption key received from the shrink generator 173 from anencrypted text, that is, m-bit data received from the DVD player 1 byway of the 1394 serial bus 11, to decrypt the encrypted text back intothe clear text.

It is obvious that the configuration of the 1394 interface unit 36employed in the DVD player 1 shown in FIG. 15 is basically identicalwith that of the 1394 interface unit 26 employed in the optical magneticdisc apparatus 3 shown in FIG. 11 except that the subtractor 174employed by the former is used as a substitute for the adder 74 of thelatter.

FIG. 16 is a diagram showing a detailed configuration of the 1394interface unit 36 which is shown in FIG. 15 in a simple and plainmanner. It is also obvious that the configuration of the 1394 interfaceunit 36 employed in the DVD player 1 shown in FIG. 16 is basicallyidentical with that of the 1394 interface unit 26 employed in theoptical magnetic disc apparatus 3 shown in FIG. 12 except that thesubtractor 174 employed by the former is used as a substitute for theadder 74 of the latter. An additive generator 171, an LFSR 172, a shrinkgenerator 173, an adder 181, a register 182, an adder 183, a register184, a register 185, an adder 186, a condition judging unit 191 and aFIFO unit 192 employed in the 1394 interface unit 36 of the opticalmagnetic disc apparatus 3 shown in FIG. 16 correspond to the additivegenerator 71, the LFSR 72, the shrink generator 73, the adder 81, theregister 82, the adder 83, the register 84, the register 85, the adder86, the condition judging unit 91 and a FIFO unit 92 employed in the 394interface unit 26 of the DVD player 1 shown in FIG. 12 respectively.

Thus, since the operation of the 1394 interface unit 36 employed in theoptical magnetic disc apparatus 3 shown in FIG. 16 is basically the sameas that of the 394 interface unit 26 employed in the DVD player 1 shownin FIG. 12, its explanation is not repeated. It should be noted,however, that the former is different from the latter in that, in thecase of the former, the subtractor 174 subtracts the m-bit decryptionkey received from the FIFO unit 192 employed in the shrink generator 173from an encrypted text, that is, m-bit data received from the DVD player1 by way of the 1394 serial bus 11, to decrypt the encrypted text intothe clear text.

In the 1394 interface unit 36 employed in the optical magnetic discapparatus 3, encrypted data is decrypted only once by using a sessionkey S, which comprises an initial value key Ss and a derangement key Si,and a time variable key i, strictly speaking, the key i′, as describedabove.

In the case of the personal computer 2, on the other hand, encrypteddata is decrypted by the 1394 interface unit 49 using a time variablekey i which is generated by the derangement key Si of the session key Sand a key i′ at a 1st stage of decryption and then further decrypted bythe application unit 61 using an initial value key Ss of the session keyS at a 2nd stage of decryption.

FIG. 17 is a diagram showing a typical configuration of the 1394interface unit 49 employed in the personal computer 2 for decrypting theencrypted data or the encrypted text received from the DVD player 1 byway of the 1394 serial bus 11 by means of hardware. As shown in thefigure, much like the 1394 interface unit 36 employed in the opticalmagnetic disc apparatus 3 shown in FIG. 15 and the 1394 interface unit26 employed in the DVD player 1 shown in FIG. 11, the configurationcomprises an additive generator 271, an LFSR (Linear Feedback ShiftRegister) 272, a shrink generator 273 and a subtractor 274 whichcorrespond to the additive generator 171, the LFSR (Linear FeedbackShift Register) 172, the shrink generator 173 and the subtractor 174shown in FIG. 15 respectively. The key i′ for generating the timevariable key i and the derangement key Si of the session key S forderanging the time variable key i input to the 1394 unit 49 shown inFIG. 17 from the license manager 62 are the same as the key i′ and thederangement key Si input to the 1394 interface unit 36 shown in FIG. 15from the firmware 30. However, all bits of the initial value key Ss ofthe session key S input to the 1394 unit 49 shown in FIG. 17 are resetto 0.

FIG. 18 is a diagram showing a detailed configuration of the 1394interface unit 49 which is shown in FIG. 17 in a simple and plainmanner. It is also obvious that the configuration of the 1394 interfaceunit 49 employed in the personal computer 2 shown in FIG. 18 isbasically identical with that of the 1394 interface unit 26 employed inthe DVD player 1 shown in FIG. 12 and the 1394 interface unit 36employed in the optical magnetic disc apparatus 3 shown in FIG. 16except that, in the case of the 1394 interface unit 49 shown in FIG. 18,since all bits of the initial value key Ss of the session key S input tothe 1394 unit 49 shown in FIG. 17 are reset to 0, in essence, thedecryption key is generated only from the time variable key i which isgenerated from the key i′ and the derangement key Si as if the initialvalue key Ss were not available. As a result, at the subtractor 274, theencrypted data or the encrypted text is decrypted by using only the timevariable key i. Since the initial value key Ss has not been used in thedecryption yet, a completely clear text has not been obtained yet as aresult of the decryption. That is to say, the result of the decryptionis still in an encrypted state. Thus, data resulting from the decryptioncan not be used as it is even if the data is copied from the internalbus 51 to a hard disc mounted on the hard disc drive 47 or anotherrecording medium.

Then, the data or the text decrypted by hardware in the 1349 interfaceunit 49 by using the time variable key i is further decrypted bysoftware in the application module 61. FIG. 19 is a diagram showing atypical configuration of the application module 61. Basically resemblingthe 1394 interface unit 26 employed in the DVD player 1 shown in FIG.11, the 1394 interface unit 36 employed in the optical magnetic discapparatus 3 shown in FIG. 15 and the 1394 interface unit 49 employed inthe personal computer 2 shown in FIG. 17, the application module 61shown in FIG. 19 comprises an additive generator 371, an LFSR (LinearFeedback Shift Register) 372, a shrink generator 373 and a subtractor374 which have configurations identical with the additive generator 171,the LFSR (Linear Feedback Shift Register) 172, the shrink generator 173and the subtractor 174 shown in FIG. 15 respectively.

It should be noted, however, that while the initial value key Ss of thesession key S is supplied to the application module 61 as is the casewith the 1394 interface unit 26 employed in the DVD player 1 shown inFIG. 11 and the 1394 interface unit 36 employed in the optical magneticdisc apparatus 3 shown in FIG. 15, the derangement key Si of the sessionkey S for deranging the time variable key i and the key i′ are each aunit element will all bits thereof reset to 0.

FIG. 20 is a diagram showing a detailed configuration of the applicationmodule 61 which is shown in FIG. 19 in a simple and plain manner. It isalso obvious that the configuration of the application module 61 isbasically identical with that of the 1394 interface unit 26 employed inthe DVD player 1 shown in FIG. 12, the 1394 interface unit 36 employedin the optical magnetic disc apparatus 3 shown in FIG. 16 and the 1394interface unit 49 employed in the personal computer 1 shown in FIG. 18.Components employed in the application module 61 shown in detail in FIG.20, from the adder 381 employed in the additive generator 371 to theFIFO unit 392 employed in the shrink generator 373, correspond to thecomponents employed in the 1394 interface unit 36 shown in FIG. 16, fromthe adder 181 employed in the additive generator 171 to the FIFO unit192 employed in the shrink generator 173 respectively. Since all thebits of the key i′ held in a register 384 and the derangement key Siheld in a register 385 are 0, however, the bits of the time variable keyi generated by the adder 386 are all 0. As a result, the applicationmodule 61 in essence operates as if the time variable key i were notpresent. That is to say, the generation of a decryption key is basedonly on the initial value key Ss. Then, a subtractor 374 decrypts theencrypted data or by using the decryption key generated in this way toproduce a clear text. As described above, the encrypted data is a resultof the decryption carried out by the 1394 interface unit 49 based on thetime variable key i, which is generated from the key i′ and thederangement key Si, at the so called 1st stage of decryption. On theother hand, the decryption carried out by the application module 61based on the initial value key Ss is called a 2nd stage of decryptionfor producing a final completely clear text.

When the decryption of the encrypted text described above is completedat the optical magnetic disc 3, the CPU 31 supplies the decrypted datato the drive 35 for recording the data onto an optical magnetic disc.

In the personal computer 2, on the other hand, the CPU 41 supplies thedecrypted data resulting from the 1st stage of decryption carried out bythe 1394 interface unit 49 typically to the hard disc drive 47 forrecording the data by way of the internal bus 51. It should be notedthat, in the personal computer 2, a predetermined board can be connectedto the input/output interface unit 44 as the expansion board 48 formonitoring data transmitted through the internal bus 51 as describedearlier. Nevertheless, it is only the application module 61 that iscapable of finally decrypting data transmitted through the internal bus51. Thus, even if the expansion board 48 is capable of monitoringencrypted data resulting from the decryption carried out by the 1394interface unit 49 based on the time variable key i, the encrypted datais not the completely clear text because the data has not been decryptedby the application module 61 by using the initial value key Ss of thesession key S. As a result, it is possible to prevent a completely cleartext from being copied illegally provided that the completely clear textresulting from the final decryption carried out by the applicationmodule 61 is never transmitted through the internal bus 51.

Typically, adoption of the Diffie-Hellman technique allows the sessionkey S to be shared by a source and sinks.

It is worth noting that there are cases in which the 1394 interface unit49 or the application module 61 employed in the personal computer 2 hasa relatively low processing power so that it is not capable of carryingout decryption of data. In order to cope with such a problem, either ofthe initial value key Ss of the session key S and the time variable keyi or both can be generated in the source as a unit element. By the sametoken, by using either or both of the keys as a unit element in thesink, data can virtually be transmitted from the source to the sinkwithout using the initial value key Ss of the session key S and the timevariable key i. With such a scheme, however, it is more quite within thebounds of possibility that the data is copied illegally.

If the application module 61 itself is an illegal copy, it is much to befeared that the clear text resulting from decryption carried out by theapplication module 61 will also be copied illegally. In order to solvethis problem, the license manager 62 may authenticate the applicationmodule 61 prior to decryption as described earlier.

As a method for authenticating the application module 61, a digitalsignature based on a disclosed encryption key encryption method can beadopted in addition to the common session key encryption/decryptiontechnique described earlier.

The configurations shown in FIGS. 11, 12 and 15 to 20 satisfy ahomomorphism relation. Thai is to say, if keys K₁ and K₂ are elements ofa Galois field G, a group processing result K₁·K₂ of the two elements isalso an element of the Galois field G. In addition, with respect to apredetermined function H, the following equation holds true.H(K ₁ ·K ₂)=H(K ₁)·H(K ₂)

FIG. 21 is a diagram showing another typical detailed configuration ofthe 1394 interface unit 26 employed in the DVD player 1. As shown in thefigure, the initial value key Ss of the session key S is supplied toLFSRs 501 to 503 to be set therein as initial values. The widths of theLFSRs 501 to 503 are n₁ to n₃ bits respectively which are of the orderof 20 bits. The LFSRs 501 are 503 are designed so that their widths n₁to n₃ form an element in conjunction with each other. That is to say,for example, the high order n₁ bits, the intermediate order n₂ bits andthe low order n₃ bits of the initial value key Ss of the session key Sare set in the LFSRs 501, 502 and 503 respectively each as an initialvalue.

When an enable signal with the logic value 1 is supplied to the LFSRs501 to 503 from a clocking function unit 506, the LFSRs 501 to 503 eachshift the contents thereof by m bits, outputting m-bit data. The valueof m can be set typically at 8, 16, 32 or 40.

The data output by the LFSR 501 is added to the data output by the LFSR502 by an adder 504. A carry of the result of the addition carried outby the adder 504 is supplied to the clocking function unit 506 and theresult of the addition itself is added to the data output by the LFSR503 by an adder 505. A carry of the result of the addition carried outby the adder 504 is also supplied to the clocking function unit 506 andthe result of the addition itself is supplied to an exclusive logicalsum computing circuit 508.

The combination of the carries supplied by the adders 504 and 505 to theclocking function unit 506 is either 00, 01, 10 or 11. The clockingfunction unit 506 outputs data representing one of combinations 000 to111 to the LFSRs 501 to 503 in accordance with the combination of thecarries received from the adders 504 and 505. As described above, whenthe enable signal with the logic value 1 is supplied to the LFSRs 501 to503 from the clocking function unit 506, the LFSRs 501 to 503 each shiftthe contents thereof by m bits, outputting new m-bit data. When theenable signal with the logic value 0 is supplied to the LFSRs 501 to 503from the clocking function unit 506, on the other hand, the LFSRs 501 to503 do not shift the contents thereof, outputting the same m-bit data asthe data output right before.

The exclusive logical sum computing circuit 508 receives the result ofaddition carried out by the adder 505 and the time variable key i storedin the register 507, calculating an exclusive logical sum of the inputs.An exclusive logical sum computing circuit 509 calculates anotherexclusive logical sum of the exclusive logical sum output by theexclusive logical sum computing circuit 508 and an input clear text,outputting the other exclusive logical sum as an encrypted text.

FIG. 22 is a diagram showing another typical detailed configuration ofthe 1394 interface unit 36 employed in the optical magnetic discapparatus 3. As shown in the figure, all components employed in the 1394interface unit 36, from an LFSR 601 to an exclusive logical sumcomputing circuit 609, have the same configurations as the correspondingcomponents employed in the 1394 interface unit 26 shown in FIG. 21, fromthe LFSR 501 to the exclusive logical sum computing circuit 509. Thus,since their operations are basically also the same, the explanation oftheir operations is not repeated. The only difference between the 1394interface unit 36 employed in the optical magnetic disc apparatus 3shown in FIG. 22 and the 1394 interface unit 26 employed in the DVDplayer 1 shown in FIG. 21 is that the exclusive logical sum computingcircuit 609 employed in the former decrypts an encrypted text while theexclusive logical sum computing circuit 509 employed in the latterencrypts a clear text.

FIG. 23 is a diagram showing another typical detailed configuration ofthe 1394 interface unit 49 employed in the personal computer 2. As shownin the figure, all components employed in the 1394 interface unit 49,from an LFSR 701 to an exclusive logical sum computing circuit 709, havethe same configurations as the corresponding components employed in the1394 interface unit 36 shown in FIG. 22, from the LFSR 601 to theexclusive logical sum computing circuit 609. The only difference betweenthe 1394 interface unit 36 employed in the optical magnetic discapparatus 3 shown in FIG. 22 and the 1394 interface unit 49 employed inthe personal computer 2 shown in FIG. 23 is that the initial value keySs of the session key S supplied to the LFSRs 701 to 703 employed in thelatter is a unit element will all bits thereof reset to 0. Thus, in thecase of the 1394 interface unit 49 employed in the personal computer 2shown in FIG. 23, the decryption of an encrypted text is in essencebased only on the time variable key i in the register 707 which isgenerated from the key i′ and the derangement key Si of the session keyS.

FIG. 24 is a diagram showing another typical detailed configuration ofthe application module 61 of the personal computer 2. As shown in thefigure, all components employed in the application module 61, from anLFSR 801 to an exclusive logical sum computing circuit 809, have thesame configurations as the corresponding components employed in the 1394interface unit 36 shown in FIG. 22, from the LFSR 601 to the exclusivelogical sum computing circuit 609. The only difference between the 1394interface unit 36 employed in the optical magnetic disc apparatus 3shown in FIG. 22 and the application module 61 of the personal computer2 shown in FIG. 24 is that the time variable key i supplied to theregister 807 employed in the latter is a unit element will all bitsthereof reset to 0. Thus, in the case of the application module 61employed in the personal computer 2 shown in FIG. 24, the decryption ofencrypted data is in essence based only on the initial value key Ss ofthe session key S.

It should be noted that the decryption processing in each of theconfigurations shown in FIGS. 19, 20 and 24 is carried out by theapplication module 61 which is typically implemented by software.

By the way, a license key can be changed or updated, if necessary,should the license key be stolen for some reasons by any chance. It isneedless to say that a license key can also be changed once apredetermined period of time even if the license key is not stolenshould it be quite within the bounds of possibility that the license keyis stolen. In this case, the version of a license key representing theterm of validity is recorded on a DVD. In the case of the presentembodiment, the term of validity of a license key is represented by thenumber of times the hash function is to be applied to generate thelicense key. If an information receiving apparatus for receivinginformation transmitted through a satellite instead of informationplayed back from a DVD player is an object being operated, onlyinformation of a valid version is transmitted to the informationreceiving apparatus by way of the satellite.

FIGS. 25 and 26 are diagrams showing an embodiment implementing aprocedure for generating a source side common session key sk in the DVDplayer 1 and a sink side common session key sk′ in the personal computer2 by using an updated license key. It should be noted that, in additionto the fact that various pieces of information are stored in the EEPROMunit 27 employed in the DVD player 1 and the EEPROM unit 50 employed inthe personal computer 2 of the embodiment shown in FIG. 4, the hashfunction is also stored not only in the. EEPROM unit 26, but also in theEEPROM unit 50 in the case of the present embodiment.

As shown in FIG. 25, the procedure begins with a step S151 at which theDVD player 1 serving as a source makes a request to the personalcomputer 2 serving as a sink for the ID thereof. Then, the proceduregoes on to a step S152 at which the personal computer 2 receives therequest for the ID. The procedure then proceeds to a step S153 at whichthe personal computer 2 transmits the ID to the DVD player 1. Then, theprocedure continues to a step S154 at which the DVD player 1 receivesthe ID.

Subsequently, the procedure goes on to a step S155 at which the DVDplayer 1 concatenates the ID received from the personal computer 2 witha service key stored in the EEPROM unit 27 to form data(ID∥service_key). Then, a license key lk is computed by applying thehash function to the data (ID∥service_key) as shown in the followingequation:lk=hash(ID∥service_key)

The pieces of processing performed at the steps S151 to S155 asdescribed above are the same as those carried out at the steps S1 to S5of the procedure shown in FIG. 4.

The procedure then goes on to a step S156 at which the DVD player 1forms a judgment as to whether or not the license key lk generated atthe step S155 has a valid version, that is, whether or not the licensekey lk has been generated by applying the hash function a number oftimes equal to a predetermined value recorded on the DVD. As describedabove, the present valid version of a license key lk is recorded as thepredetermined value representing the number of times the hash functionis to be applied to generate the license key lk. Assume that thepredetermined value recorded on the DVD is greater than one. Since thenumber of times the hash function has been applied to generate thelicense key lk at the step S155 is 1, the license key lk is judged to beinvalid. In this case the procedure proceeds to a step S157 at which theDVD player 1 initializes a variable g indicating the number of times thehash function has been applied to generate the license key lk at 1 andstores the generated license key lk in a variable lk_(g). Then, theprocedure continues to a step S158 at which the hash function is appliedto the contents of the variable lk_(g) to find a new license keylk_(g+1) according to the following equation:lk_(g+1)=hash(lk_(g))

Subsequently, the procedure goes on to a step S159 to form a judgment asto whether or not the license key lk_(g+1) generated at the step S158has a valid version. If the license key lk_(g+1) does not have a validversion, that is, if the variable g has not reached the predeterminedvalue in the case of the present embodiment, the procedure proceeds to astep S160 at which the DVD player 1 increments the value of the variableg by 1 and stores lk_(g+1) in the variable lk_(g). The procedure thenreturns to the step S158 at which the hash function is again applied tothe contents of the variable lk_(g).

The steps S158 and S159 are executed repeatedly till the value of thevariable q, that is, the number of times the hash function has beenapplied to generate the license key, reaches the predetermined valuerecorded on the DVD as a version of the license key.

It should be noted that the predetermined value serving as an upperlimit of the number of times the hash function can be applied togenerate the license key is set typically at 100.

If the outcome of the judgment formed at the step S159 indicates thatthe number of times the hash function has been applied to generate thelicense key has reached the predetermined value recorded on the DVD as aversion of the license key, that is, if the outcome of the judgmentindicates that a valid license key lk_(g+1) has been obtained at thestep S158, or if the outcome of the judgment formed at the step S156indicates that the license key lk generated at the step S155 is valid,that is, if the number of times the hash function is to be applied togenerate the license key is 1, on the other hand, the procedure proceedsto a step S161 at which the DVD player 1 generates a source side commonsession key sk in the same way as the procedure of FIG. 4 describedearlier.

Then, the procedure continues to a step S162 at which the DVD player 1encrypts the source side common session key sk generated at the stepS161 by using the license key lk_(g) computed at the step S155 or S158as a key to produce an encrypted source side common session key e inaccordance with the following equation:e=Enc(lk_(g),sk)

Subsequently, the procedure goes on to a step S163 at which the DVDplayer 1 transmits the encrypted source side common session key egenerated at the step S162 along with the value of the variable gindicating the number of times the hash function has been applied togenerate the license key lk_(g) to the personal computer 2. Theprocedure then proceeds to a step S164 at which the personal computer 2receives the encrypted source side common session key e and the value ofthe variable g. Then, the procedure proceeds to a step S165 at which thepersonal computer 2 initializes a variable w representing the number oftimes the hash function has been applied to generate a license key inthe personal computer 2 at 1. The procedure then continues to a stepS166 to form a judgment as to whether or not the value of the variable greceived at the step S164 is equal to the value of the variable w set atthe step S165. If they are not equal to each other, the procedure goeson to a step S167 at which the hash function stored in the EEPROM unit50 employed in the personal computer 2 is applied to license_key_(w),the license key also stored in the EEPROM unit 50, to generatelicense_key_(w+1), a new license key in accordance with the followingequation:license_key_(w+1)=hash(license_key_(w))

Then, the procedure continues to a step S168 at which the personalcomputer 2 increments the variable w by 1 and substituteslicense_key_(w+1) for license_key_(w). The procedure then returns to thestep S166 to again form a judgment as to whether or not the value of thevariable g is equal to the value of the variable w. The steps S166 toS168 are executed repeatedly till the value of the variable wrepresenting the number of times the hash function has been applied togenerate the license key becomes equal to the value of the variable g.

If the outcome of the judgment formed at the step S166 indicates thevalue of the variable w is equal to the value of the variable g, thatis, if currently valid license_key_(w) has been obtained, the proceduregoes on to a step S169 at which the personal computer 2 decrypts theencrypted source side common session key e to produce a sink side commonsession key sk′ in accordance with the following equation:sk′=Dec(license_key_(w),e)

By appropriately repeating the application of the hash function togenerate the license key as described above, the information securitycan be further enhanced.

According to the procedure shown in FIGS. 25 and 26, the value of thevariable g representing the version of a license key is transmitted bythe source to the sink. It should be noted, however, that theapplication of the hash function to generate the license key can berepeated as many times as is required without the need to transmit theversion as is the case with an embodiment implementing a procedure shownin FIG. 25 and continued to FIG. 27 instead of FIG. 26.

That is to say, in the case of this embodiment, only the encryptedsource side common session key e is transmitted by the DVD player 1 tothe personal computer 2 at the step S163. At that time, the value of thevariable g representing the version of a license key is not transmitted.The procedure then proceeds to a step S164 at which the personalcomputer 2 receives the encrypted source side common session key e.Then, the procedure goes on to a step S165 at which the personalcomputer 2 decrypts the encrypted source side common session key e toproduce a sink side common session key sk′ using the license_key storedin the EEPROM unit 50 in accordance with the following equation:sk′=Dec(license_key,e)

In the mean time, at a step S166, the DVD player 1 encrypts data to betransmitted to the personal computer 2 by using, among other keys, thesource side common session key sk generated at the step S161 andtransmits the encrypted data to the computer 2. The procedure then goeson to a step S167 at which the personal computer 2 receives theencrypted data and then to a step S168 to decrypt the encrypted data byusing, among other keys, the sink side common session key sk′ generatedat the step S165. Then, the procedure proceeds to a step S169 at whichthe personal computer 2 forms a judgment as to whether or not dataresulting from the decryption carried out at the step S168 is correct.For example, data received as a TS (Transport Stream) packet of the MPEGsystem has a code for synchronization with a hexadecimal value of 47 inthe head of the packet. In this case, the judgment as to whether or notdata is correct can be formed by checking whether or not thesynchronization code is perfect.

If correct decrypted data was not resulted in at the step S168, theprocedure goes on to a step S170 at which the personal computer 2updates the license key in accordance with the following equation:license_key=hash(license_key)

Then, the procedure proceeds to a step S171 at which the personalcomputer 2 again decrypts the encrypted source side common session key ereceived at the step S164 to produce a new sink side common session keysk′ using the updated license key generated at the step S170 inaccordance with the following equation:sk′=Dec(license_key,e)

Subsequently, the procedure returns to the step S168 to again decryptthe encrypted data received at the step S167 by using, among other keys,the sink side common session key sk′ generated at the step S171. Then,the procedure proceeds to a step S169 at which the personal computer 2forms a judgment as to whether or not data resulting from the decryptioncarried out at the step S168 is correct. As such, the steps S170, S171,S168 and S169 are executed repeatedly till the outcome of the judgmentformed at the step S169 indicates that correct decrypted data wasobtained at the step S168.

In this way, the license key is updated to produce correct encrypteddata.

As indicated by the procedure described above, in the source, the sourceside common session key sk has to be generated before data to betransmitted to the sink is encrypted by using the source side commonsession key sk. In the sink, on the other hand, the decryption of theencrypted data received from the source needs to be synchronized withthe decryption of the encrypted source side common session key ereceived from the source. To be more specific, the procedure on the sinkside can not go on from the step S165 to decrypt the encrypted sourceside common session key e to the step S168 to decrypt the decrypted datatill the step S167 to receive the encrypted data is completed.

In addition, the decryption of an encrypted source side common sessionkey e and an encrypted text carried out by the sink must be synchronizedwith the encryption of a source side common session key sk and a cleartext performed by the source. That is to say, a decryption key generatedby the components composing the 1394 interface unit 36 employed in theoptical magnetic disc apparatus 3 shown in FIG. 22, from the LFSR 601 tothe exclusive logical sum computing circuit 608, has to correspond to anencryption key generated by the components composing the 1394 interfaceunit 26 employed in the DVD player 1 shown in FIG. 21, from the LFSR 501to the exclusive logical sum computing circuit 508, and encrypted datadecrypted by using the decryption key must be data resulting fromencryption of a clear text by using the encryption key. As describedabove, the encryption key has thus to be generated by the 1394 interfaceunit 26 shown in FIG. 21 in synchronization with (that is, prior to) theencryption of the input clear text and the decryption key must thereforebe generated by the 1394 interface unit 36 shown in FIG. 22 insynchronization with (that is, prior to) the decryption of the receivedencrypted text even though the synchronization is not explicitly shownin FIGS. 21 and 22.

Accordingly, if a bit is missing for some reasons from a packetcomposing an encrypted text transmitted from a source to a sink by wayof the 1394 serial bus 11, a phase representing a timing relationbetween a clear text and an encryption key in the source can not besustained as a phase representing a timing relation between an encryptedtext and a decryption key in the sink. However, this problem can besolved by updating or reinitializing the phase representing a timingrelation between an encrypted text and a decryption key in the sinkperiodically. FIG. 28 is a diagram showing a typical configuration of anembodiment implementing a source/sink system for updating orreinitializing the phase representing a timing relation between anencrypted text and a decryption key in the sink periodically.

As shown in the figure, in the source, an exclusive logical sumcomputing circuit 901 computes an exclusive logical sum Ci of a randomnumber generated by a random number generator 903 and an input cleartext and outputs the exclusive logical sum Ci to an exclusive logicalsum computing circuit 904 and a processing circuit 902 which alsoreceives the initial value key Ss of a session key S. The processingcircuit 902 carries out predetermined processing on the initial valuekey Ss of the session key S and the exclusive logical sum Ci output bythe exclusive logical sum computing circuit 901, outputting a result Viof the processing to the random number generator 903 as an initialvalue.

The exclusive logical sum computing circuit 904 computes the exclusivelogical sum of the exclusive logical sum Ci generated by the exclusivelogical sum computing circuit 901 and a time variable key i to generatean encrypted text which is transmitted to the sink through the 1394serial bus 11.

The sink carries out operations in the reversed order of those performedby the source. To be more specific, an exclusive logical sum computingcircuit 911 computes an exclusive logical sum Ci of the encrypted textreceived from the source through the 1394 serial bus 11 and the timevariable key i, outputting the exclusive logical sum Ci to an exclusivelogical sum computing circuit 912 and a processing circuit 913 whichalso receives the initial value key Ss of the session key S. Theprocessing circuit 913 carries out predetermined processing on theinitial value key Ss of the session key S and the exclusive logical sumCi output by the exclusive logical sum computing circuit 911, outputtinga processing result Vi to a random number generator 914. The randomnumber generator 914 generates a random number with the processingresult Vi from the processing circuit 913 used as an initial value. Theexclusive logical sum computing circuit 912 computes a final exclusivelogical sum of the random number generated by the random numbergenerator 914 and the exclusive logical sum Ci generated by theexclusive logical sum computing circuit 911, outputting the finalexclusive logical sum as a clear text.

FIG. 29 is a diagram showing a typical configuration of the randomnumber generator 903. As shown in the figure, the random numbergenerators 903 comprises components, from an LFSR 931 to a clockingfunction unit 936. Each of the components shown in the figure has afunction identical with the corresponding LFSR 501 etc., the adder 504etc. or the clock functioning unit 506 etc. of the embodiments shown inFIGS. 21 to 24.

It should be noted that the random number generator 914 has the sameconfiguration as the random number generator 903 shown in FIG. 29.Therefore, it is not necessary to show the configuration of former in aseparate figure.

FIG. 30 shows a flowchart representing operations carried out by each ofthe processing circuits 902 and 913 on the source and sink sidesrespectively.

The operations are explained by referring to the flowchart shown in FIG.30 as follows.

The processing circuit 902 on the source side has a function f expressedby an equation given below to compute a value Vi from an input Cisupplied thereto by the exclusive logical sum computing circuit 901 andthe initial value key Ss of a session key S.Vi=f(Ss,Ci)

As shown in the figure, the flowchart begins with a step S201 at whichthe processing circuit 902 uses the value 0 as an initial value of theinput Ci to compute a value Vi=f (Ss, Ci) as follows:V₀=f(Ss,0)

The operational flow then goes on to a step S202 at which the value V₀computed at the step S201 is supplied to the random number generator 903shown in FIG. 29. In the random number generator 903, the value V₀output by the processing circuit 902 is supplied to the LFSR 931 to 933as an initial value. By using the same technique as the 1394 interfaceunit 26 shown in FIG. 21 and the other embodiments shown in FIGS. 22 to24, a random number is generated and output by the adder 935 employed inthe random number generator 903 to the exclusive logical sum computingcircuit 901 shown in FIG. 28. The exclusive logical sum computingcircuit 901 computes an exclusive logical sum Ci of the random numbergenerated by the random number generator 903 and an input clear text,outputting the exclusive logical sum Ci back to the processing circuit902.

In the mean time, the operational flow shown in FIG. 30 proceeds to astep S203 at which the processing circuit 902 sets a variable i at 1.The operational flow then continues to a step S204 at which theexclusive logical sum Ci received from the exclusive logical sumcomputing circuit 901 is stored in a variable C.

Then, the operational flow goes on to a step S205 at which theprocessing circuit 902 carries out processing in accordance with thefollowing equation:Vi=f(Ss,Ci)+V _(i−1)where Ci is the contents of the variable C.

Since the value of the variable i is 1 at the present time, the aboveequation can be rewritten as follows:V1=f(Ss,C ₁)+V ₀where V₀ is a value computed at the step S201.

Subsequently, the operational procedure goes on to a step S206 at whichthe processing circuit 902 forms a judgment as to whether or not thecontents of the variable C, that is, C₁ in this case, are equal to apredetermined value T set in advance. In the mean time, the exclusivelogical sum computing circuit 901 outputs other exclusive logical sum Cito the processing circuit 902. If the exclusive logical sum Ci is foundunequal to the value T at the step S206, the operational flow proceedsto a step S207 at which the contents of the variable i are incrementedby 1 before returning to the step S204 at which the other exclusivelogical sum Ci received from the exclusive logical sum computing circuit901, that is, C₂ since i=2,is stored in the variable C.

Then, the operational flow goes on to the step S205 at which theprocessing circuit 902 carries out processing in accordance with thefollowing equation:V ₂ =f(Ss,C ₂)+V ₁where V1 is a value computed at the step S205 in the immediatelyprevious iteration.

Subsequently, the operational procedure goes on to the step S206 atwhich the processing circuit 902 forms a judgment as to whether or notthe input exclusive logical sum Ci, that is, C₂ in this case, is equalto the predetermined value T. If the input exclusive logical sum Ci isfound unequal to the value T, the operational flow proceeds to the stepS207 at which the contents of the variable i are incremented by 1 beforereturning to the step S204. In this way, the steps S204 to S207 areexecuted repeatedly till the input exclusive logical sum Ci becomesequal to the value T.

If the input exclusive logical sum Ci is found equal to the value T atthe step S206, on the other hand, the operational flow proceeds to thestep S208 at which the value Vi (that is, V₁ in this case) computed atthe step S205 is output to the random number generator 903 as the valueV₀ computed at the step S201 was output to the random number generator903 at the step S202. In the random number generator 903, the value V1output by the processing circuit 902 is supplied to the LFSR 931 to 933as an initial value. A random number for the initial value is generatedand output by the adder 935 employed in the random number generator 903to the exclusive logical sum computing circuit 901 shown in FIG. 28. Theexclusive logical sum computing circuit 901 computes an exclusivelogical sum Ci of the random number generated by the random numbergenerator 903 and an input clear text, outputting the exclusive logicalsum Ci back to the processing circuit 902.

In the mean time, after the processing circuit 902 outputs the value Viat the step S208 to the random number generator 903, the operationalflow shown in FIG. 30 returns to the step S203 at which the processingcircuit 902 resets the variable i at 1. Thereafter, the steps S203 toS208 are executed repeatedly.

Assume that the value T is 8 bits in width and the generationprobability of the value of Ci is uniform. In this case, the probabilityof the Ci value's being equal to T is 1/256 where 256 is the eighthpower of 2. That is to say, the generation of the exclusive logical sumCi having a value equal to T occurs at a rate of once per 256sequentialoperations carried out by the exclusive logical sum computing circuit901 to generate the exclusive logical sum Ci. As a result, the initialvalue used in the random number generator 903 for generating a randomnumber is updated at a rate of once per 256 sequential operationscarried out by the exclusive logical sum computing circuit 901 togenerate the exclusive logical sum Ci.

The exclusive logical sum Ci output by the exclusive logical sumcomputing circuit 901 is also supplied to the exclusive logical sumcomputing circuit 904 for computing the exclusive logical sum of theexclusive logical sum Ci and the time variable key i. The exclusivelogical sum computed by the exclusive logical sum computing circuit 904is output to the 1394 serial bus 11 as an encrypted text.

In the sink, the exclusive logical sum computing circuit 911 computes anexclusive logical sum Ci of the encrypted text received from the sourcethrough the 1394 serial bus 11 and the time variable key i, outputtingthe exclusive logical sum Ci to the exclusive logical sum computingcircuit 912 and the processing circuit 913 which also receives theinitial value key Ss of the session key S. Much like the processingcircuit 902 on the source side, the processing circuit 913 carries outpredetermined processing on the initial value key Ss of the session keyS and the exclusive logical sum Ci output by the exclusive logical sumcomputing circuit 911, outputting a processing result Vi to the randomnumber generator 914 at a rate of once per 256 sequential operations togenerate the exclusive logical sum Ci. The random number generator 914generates a random number with the processing result Vi used as aninitial value. The exclusive logical sum computing circuit 912 computesa final exclusive logical sum of the random number generated by therandom number generator 914 and the exclusive logical sum Ci generatedby the exclusive logical sum computing circuit 911 and outputs the finalexclusive logical sum as a clear text.

As described above, the processing circuit 913 outputs the processingresult Vi to the random number generator 914 at a rate of once per 256sequential operations carried out by the exclusive logical sum computingcircuit 911 to generate the exclusive logical sum Ci. As a result, aphase representing a timing relation between an encrypted texttransmitted from a source to a sink by way of the 1394 serial bus 11 anda random number used as a decryption key in the sink can be recovered inthe event of a bit missing for some reasons from a packet composing theencrypted text at the time the processing circuit 913 outputs theprocessing result Vi to the random number generator 914 at a rate ofonce per 256 sequential operations to generate the exclusive logical sumCi.

It should be noted that, since the processing circuit 902 or 913 outputsthe processing result Vi to the random number generator 914 when theexclusive logical sum Ci becomes equal to the value T (Ci=T), theprocessing circuit 913 does not output the processing result Vi to therandom number generator 914 periodically. Instead, nothing more can besaid more than the fact that the processing circuit 913 outputs theprocessing result Vi to the random number generator 914 at a probabilityof once per 256sequential operations to generate the exclusive logicalsum Ci on the average.

It is worth noting that the rate at which the processing circuits 902and 913 output the processing result Vi to the random number generators903 and 914 can also be based on the number of pieces of encrypted datatransmitted by the source and received by the sink. When a piece of datais missing in the course of transmission through the 1394 serial bus 11,however, this method will have a problem that the data piece count onthe source side will be different from the data piece count on the sinkside, making it no longer possible to establish synchronization betweenthe source and the sink. It is thus desirable to adopt thesynchronization technique implemented by the embodiment described above.

As an initial value used in the random number generator 903 or 914, theexclusive logical sum Ci output by the exclusive logical sum computingcircuit 901 or 911 can be supplied to the random number generator 903 or914 respectively as it is. In this case, however, transmitted throughthe 1394 serial bus 11, it is much to be feared that the exclusivelogical sum Ci is stolen. That is why the exclusive logical sum Ci isnot used directly as an initial value. Instead, by using a value Viresulting from predetermined processing carried out on the exclusivelogical sum Ci as an initial value, the data security can be furtherimproved.

By the way, there are 2 methods of transferring data through the IEEE1394 serial bus 11. One of them is an asynchronous transfer methodwhereas the other is an isochronous transfer method. In the asynchronoustransfer method, data is transferred between two apparatuses. In theisochronous transfer method, on the other hand, data is broadcasted fromone apparatus to all others connected to the 1394 serial bus. Thus, thecommunications for authentication of sinks and the key sharing protocolsof the embodiments shown in FIG. 4 and the other figures are normallyaccomplished by adopting the asynchronous transfer method since there isno need for broadcasting information from the source to all sinks.

In the authentication and the key sharing protocol of the embodimentshown in FIG. 4, the personal computer 2 is capable of acquiring anencrypted source side common session key e from the DVD player 1 even ifthe personal computer 2 is an unauthorized apparatus which does not havethe correct license key. As described earlier, the encrypted source sidecommon session key e is an encrypted text resulting from encryption of asource side common session key sk using the license key lk. Since thepersonal computer 2 is an unauthorized apparatus which does not have thecorrect license key, the personal computer 2 is not capable of obtainingthe correct sink side common session key sk′ by decryption of theencrypted source side common session key e. It is much to be feared,nevertheless, that the encrypted source side common session key e can beused directly in decryption of encrypted information as it is.

If the personal computer 2 also receives the source side common sessionkey sk (a clear text) in addition to the encrypted source side commonsession key e (an encrypted text resulting from encryption of the sourceside common session key. sk using the license key lk) for some reasons,both the clear text and the corresponding encrypted texts are obtained.In this case, it is much to be feared that the clear and encrypted textsare used for finding the license key that the personal computer 2 doesnot have. It should be noted that, in general, the more the pairs ofclear and encrypted texts known by an attacker, the easier the reversemethod adopted by the attacker to know the license key used to producethe encrypted texts from the clear texts.

In addition, an unauthorized personal computer 2 may transmit a false IDto the DVD player 1 which uses the false ID for computing the licensekey lk. The license key lk is in turn used for encrypting the sourceside common session key sk to produce the encrypted source side commonsession key e which is then transmitted to the personal computer 2.Assume that the personal computer 2 is allowed to make a request for thetransmission of an encrypted source side common session key e during asession by transmitting an ID. If such a request is made several times,a plurality of license keys are generated by the DVD player 1 fromdifferent IDs received from the personal computer 2. As a result, aplurality of encrypted source side common session keys e resulting fromencryption of the source side common session key sk for the session arereceived by the personal computer 2. That is to say, once the personalcomputer 2 obtains the source side common session key sk, the personalcomputer 2 is capable of knowing a plurality of pairs each comprisingthe source side common session key sk and one of the encrypted sourceside common session keys e.

An embodiment implementing an authentication procedure shown in FIG. 31addresses the problem described above. The procedure prevents anunauthorized sink from receiving a plurality of encrypted source sidecommon session keys e resulting from encryption of a source side commonsession key sk by using different license keys lk. The procedure shownin the figure is basically the same as the one shown in FIG. 4 exceptthat, prior to a request for an ID made by the source to the sink, somepieces of processing are carried out.

To put it in detail, as shown in the procedure of the figure, at a stepS201, the personal computer 2 serving as the sink transmits a requestfor authentication, that is, a request for the start of anauthentication protocol, to the DVD player 1 serving as the source. Thisrequest for authentication is transferred by using the asynchronoustransfer method as is the case with the other transfers in the protocol.

Apparatuses connected to the IEEE 1394 serial bus 11 each have a uniquenode number assigned thereto at a bus reset time. The node number isused to specify and identify an information transmitting or receivingapparatus.

FIG. 32 is a diagram showing the format of a write request for a dataquadlet packet, one of asynchronous packets. The destination ID field ofthe format is the node number of an information receiving apparatus andthe source ID field of the format is the node number of an informationtransmitting apparatus. In the case of a packet conveying a request forauthentication, data indicating that the packet is a request forauthentication is included in the quadlet data field.

Receiving the asynchronous packet conveying a request for authenticationat a step S202, the DVD player 1 fetches the source ID, that is, thenode ID of an information transmitting apparatus transmitting thepacket. The procedure then goes on to a step S203 at which the DVDplayer 1 forms a judgment as to whether or not an encrypted source sidecommon session key e resulting from encryption of the source side commonsession key sk for the present session has been transmitted to theinformation receiving apparatus identified by the node number. If theoutcome of the judgment formed at the step S203 indicates that anencrypted source side common session key e resulting from encryption ofthe source side common session key sk for the present session has beentransmitted to the information receiving apparatus identified by thenode number, the processing of the authentication protocol for thepersonal computer 2 is terminated. If the outcome of the judgment formedat the step S203 indicates that an encrypted source side common sessionkey e resulting from encryption of the source side common session key skfor the present session has not been transmitted to the informationreceiving apparatus identified by the node number, on the other hand,the procedure goes on to a step S204 to start execution of theauthentication protocol.

Pieces of processing carried out at the steps S204 to S213 of theprocedure shown in FIG. 31 are the same as those of the steps S1 to S10of the procedure shown in FIG.4.

After the above pieces of processing are carried out, at a step S214,the DVD player 1 records the node number of the personal computer 2fetched at the step S213 into the EEPROM unit 27. The node number iskept therein as long as the DVD player 1 uses the source side commonsession key sk of the present session. As another source session key skis generated for a next session, the node number is deleted from theEEPROM unit 27.

With the protocol described above, only one encrypted source side commonsession key e is transmitted to a sink. As a result, security oftransmitted information can be improved.

By the way, at the step S7 of the authentication protocol shown in FIG.4, a source side common session key sk is encrypted by the source usinga license key lk to produce an encrypted source side common session keye which is then transmitted to the sink. As an encryption algorithm, ablock encryption is used widely. In the block encryption, a clear textis encrypted in fixed length block units. A DES encryption is agenerally known block encryption. The DES encryption is an encryptionalgorithm for transforming each 64 bit block of a clear text into a 64bit encrypted text.

Assume that an n-bit block encryption is an encryption algorithm used atthe step S7 of the procedure shown in FIG. 4 to transform an n-bit cleartext into an n-bit encrypted text and the number of bits in the sourceside common session key sk is n. Also assume that an n-bit resultobtained from application of the encryption algorithm to the n-bitsource side common session key sk and the license key lk is used as itis as an encrypted source side common session key sk e.

Assume that the source makes an attempt to transmit another encryptedsource side common session key e to a sink after a previous encryptedsource side common session key e in the same session. Also assume thatthe previous encrypted source side common session key e has been stolenby an unauthorized person. Since the transaction is done in the samesession, the source side common session key sk remains unchanged. Inaddition, since the same encryption algorithm is adopted in producingthe other encrypted source side common session key e from the sourceside common session key sk and the same license key lk is used in thealgorithm, the other encrypted source side common session key e is thesame as the previous encrypted source side common session key e. It isquite within the bounds of possibility that the other encrypted sourceside common session key e is also stolen by an unauthorized person. Ifthe other encrypted source side common session key e is also stolen bythe unauthorized person by any chance, the person will know that thesame source side common session key sk is still being used, causing aproblem.

An embodiment implementing an authentication procedure shown in FIG. 33addresses the problem described above. Since pieces of processingcarried out at steps S221 to S226 of the procedure shown in the figureare the same as those of the steps S1 to S6 of the procedure shown inFIG. 4, their explanation is not repeated.

At a step S227, the source generates an n-bit random number r. Theprocedure then goes on to a step S228 at which a concatenation of therandom number r with the source side common session key sk is encryptedby using the license key lk as follows:e=Enc(lk,r∥sk)

The encryption is carried out in an encryption mode called a CBC mode.FIG. 34 is a diagram showing the configuration of a system implementingthe CBC mode. The left hand side half and the right hand side half ofthe figure represent encryption and decryption respectively. The sameinitial values IV are stored in registers 1003 and 1012. The initialvalue IV is fixed throughout the entire system.

In the encryption processing, first of all, an exclusive logical sumprocessing circuit 1001 computes an exclusive logical sum of a 1st n-bitblock of a clear text and the initial value IV stored in the register1003. The exclusive logical value is supplied to an encryptor 1002. Ann-bit encrypted text produced by the encryptor 1002 is output to acommunication line as a 1st block and fed back to the register 1003.

When a 2nd n-bit block of the clear text is supplied, the exclusivelogical sum processing circuit 1001 computes an exclusive logical sum ofthe 2nd n-bit block of the clear text and the 1st block of the encryptedtext stored in the register 1003. The exclusive logical value issupplied to the encryptor 1002 to be encrypted therein. An n-bitencrypted text produced by the encryptor 1002 is output to thecommunication line as a 2nd block and fed back to the register 1003. Theoperations described above are carried out repeatedly.

On the decryption side, on the other hand, the 1st block of theencrypted text transmitted through the communication line is decryptedby a decryptor 1011. An exclusive logical sum processing circuit 1013computes an exclusive logical sum of the output of the decryptor 1011and the initial value IV stored in a register 1012 to produce the 1stblock of the clear text.

The 1st block of the encrypted text received through the communicationline is also stored in the register 1012. Then, the 2nd block of theencrypted text transmitted through the communication line is receivedand decrypted by the decryptor 1011. The exclusive logical sumprocessing circuit 1013 computes an exclusive logical sum of the 2ndblock of the decryption result output by the decryptor 1011 and the 1stblock of the encrypted text stored in the register 1012 to produce the2nd block of the clear text.

The 2nd block of the encrypted text received through the communicationline is also stored in the register 1012.

The operations described above are carried out repeatedly to accomplishdecryption processing.

It should be noted that, the CBC mode is described in detail in thesecond edition of the reference with the title “Applied Cryptography”authored by Bruce Schneider.

Refer back to the procedure shown in FIG. 33. At the step S228, then-bit random number r and the source side common session key sk are usedin the encryption algorithm as 1st and 2nd blocks of the clear text.That is to say, the exclusive logical sum processing circuit 1001computes an exclusive logical sum of the random number r, that is, the1st n-bit block of the clear text, and the initial value IV stored inthe register 1003. The exclusive logical value is supplied to theencryptor 1002 to be encrypted therein by using the license key lk.Thus, the encryptor 1002 produces Enc (lk, r (+) IV).

The output of the encryptor 1002 is stored in the register 1003. Whenthe source side common session key sk, that is, the 2nd block of theclear text, is received, the exclusive logical sum processing circuit1001 computes an exclusive logical sum of the 2nd block of the cleartext and the output of the encryptor stored in the register 1003. As aresult, the encryptor 1002 produces Enc (lk, sk (+) Enc (lk, r (+) IV)).

At a step S229, the source concatenates the two blocks with each otherto produce e which is transmitted to the sink according to the followingequation:e=Enc(lk,r(+)IV)∥Enc(lk,sk(+)Enc(lk,r(+)IV))

On the sink side, the output e of the encryptor 1002 is received at astep S230. The procedure then goes on to a step S231 at which theencrypted source side common session key e is decrypted by using thelicense key stored in the EEPROM unit 50. A result of decryptioncomprises a 1st block r′ and a 2nd block sk′, the sink side commonsession key.

In the encryption and decryption described above, only the use of thecorrect license key by the sink will result in sk=sk′. As a result, thesource and the sink are allowed to share a common session key.

The equation of the encrypted source side common session key e givenabove means that, each time the source side common session key sk isencrypted, a different encrypted source side common session key e isresulted in even if the value of the session key sk remains unchanged.This is because the random number r involved in the encryption changes.As a result, it is difficult for a person who stole different values ofthe encrypted source side common session key sk to determine whether ornot the values are generated in the same session.

It should be noted that, in addition to the CBC mode described above,generally known use modes of the block encryption include an ECB mode, aCFB mode and an OFB mode. Since the last two modes each include afeedback loop, they can be applied to the processing shown in FIG. 33.As a matter of fact, any encryption modes can be applied to theprocessing shown in FIG. 33 as long as they include a feedback loop. Usemodes of the block encryption are also described in detail in the secondedition of the reference with the title “Applied Cryptography” authoredby Bruce Schneider.

By the way, in the processing implemented by the embodiment shown inFIG. 4, the source encrypts a source side common session key sk andtransmits an encrypted source side common session key e to the sink.Since only an authorized sink is capable of correctly decrypting theencrypted source side common session key e to produce a sink side commonsession key sk′ having the same value as the source side common sessionkey sk, in essence, the embodiment is a system wherein the sink isauthenticated by the source. In this procedure, however, the sourceitself is not authenticated. As a result, even if an unauthorized sourcetransmits haphazard data as an encrypted source side common session keyto a sink, it is quite within the bounds of possibility that the sinkaccepts a result of decryption of the encrypted source side commonsession key e as a sink side common session key sk′. In order to solvethis problem, an embodiment implementing the authentication procedure asshown in FIG. 35 is provided.

As shown in the figure, the authentication procedure begins with a stepS241 at which the personal computer 2 serving as the sink generates arandom number r having a predetermined number of bits. In theembodiment, the number of bits is 64, a typical value. The procedurethen goes on to a step S242 at which the random number is transmitted tothe DVD player 1 serving as the source. Then, the procedure proceeds toa step S243 at which the DVD player 1 receives the random number r.Subsequently, the procedure continues to a step S244 at which the DVDplayer 1 makes a request for an ID to the personal computer 2. Theprocedure then goes on to a step S245 at which the personal computer 2receives the request. Then, the procedure proceeds to a step S246 atwhich the personal computer 2 reads out the requested ID from the EEPROMunit 50 and transmits the ID to the DVD player 1. Subsequently, theprocedure continues to a step S247 at which the DVD player 1 receivesthe ID.

The procedure then goes on to a step S248 at which the DVD player 1generates a license key lk by using the following equation.lk=hash(ID∥service_key)

Then, the procedure proceeds to a step S249 at which the DVD player 1generates a source side common session key sk.

Subsequently, the procedure continues to a step S250 at which the DVDplayer 1 generates an encrypted source side common session key e byusing the following equation:e=Enc(lk,r∥sk)

The procedure then goes on to a step S251 at which the DVD player 1transmits the encrypted source side common session key e to the personalcomputer 2.

It should be noted that any encryption mode including a feedback loopsuch as the CBC mode is adopted in the encryption carried out at thestep S250.

Then, the procedure proceeds to a step S252 at which the personalcomputer 2 receives the encrypted source side common session key e.Subsequently, the procedure continues to a step S253 at which thepersonal computer 2 decrypts the encrypted source side common sessionkey e by using the license key to produce r′∥sk′, a concatenation of r′with sk′.

The number of bits included in r′ is the same as that of the randomnumber r generated at the step S241 which is determined in advance.

The procedure then goes on to a step S254 at which the personal computer2 examines if r=r′ holds true. If r=r′ holds true, the personal computer2 authenticates the DVD player1 as a valid source and accepts the sourceside common session key sk′ as a correct session key. This is becauseonly an apparatus capable of generating a correct license key lk iscapable of generating such an encrypted source side common session key ethat a result r′ of decryption of the encrypted source side commonsession key e using the license key is equal to the random number r.

If r=r′ does not hold true, on the other hand, the personal computer 2does not authenticate the DVD player1 as a valid source and, hence,discards the source side common session key sk′.

By providing an embodiment for implementing an authentication procedureas described above, the sink is capable of authenticating the source. Inaddition, the authentication procedure also retains the feature thatonly an authorized sink is capable of generating a correct sink sidecommon session key sk′ as is the case with the embodiment shown in FIG.4.

FIG. 36 is a diagram showing another embodiment implementing anauthentication procedure whereby the sink is capable of authenticatingthe source. Since pieces of processing carried out at steps S261 to S266of the procedure shown in the figure are the same as those of the stepsS1 to S6 of the procedure shown in FIG. 4, their explanation is notrepeated.

At a step S267, the DVD player 1 picks up time information T. To put itconcretely, the contents of a 32-bit cycle_time register prescribed bythe IEEE 1394specifications are typically used as time information. Thecycle_time registers are used to make time information of apparatusesconnected to the IEEE 1394 serial bus 11 uniform. The cycle_timeregisters of the apparatuses are updated uniformly by a packetbroadcasted by a cycle master, an apparatus on the 1394 serial bus 11.The contents of each of the cycle_time registers are incremented by oneby a common clock signal with a frequency of 24.576 MHz or incrementedonce for every about 40 nanoseconds through the 1394 serial bus 11. Inthis way, the times of the apparatuses connected to the 1394 serial bus11 are adjusted to agree with each other.

The procedure then goes on to a step S268 at which the DVD player 1encrypts T∥sk to produce an encrypted source side common session key e.Then, the procedure proceeds to a step S269 to transmit the encryptedsource side common session key e to the personal computer 2. It shouldbe noted that any encryption mode including a feedback loop such as theCBC mode is adopted as an encryption mode.

Then, the procedure proceeds to a step S270 at which the personalcomputer 2 receives the encrypted source side common session key e.Subsequently, the procedure continues to a step S271 at which theencrypted source side common session key e is decrypted by using thelicense key to produce a result of decryption T′∥sk′. The T′ portion inthe result of decryption is 32 bits in width.

The procedure then goes on to a step S272 to examine the validity of T′by comparing T′ with the contents of the cycle_time register of thepersonal computer 2 itself. If the difference is smaller than a typicalpredetermined value of 100 milliseconds, for example, T′ is judged to bevalid. If the difference is greater than the predetermined value, on theother hand, T′ is judged to be invalid.

If T′ passes the validity test, the personal computer 2 judges the DVDplayer 1 to be a valid apparatus and hence accepts the sink side commonsession key sk′. If T′ does not pass the validity test, on the otherhand, the personal computer 2 judges the DVD player 1 to be an invalidapparatus. In this case, the sink side common session key sk′ isdiscarded. This is because only an apparatus capable of generating acorrect license key lk is capable of generating such an encrypted sourceside common session key e that the result T′ of decryption of theencrypted source side common session key e using the license key isequal to the contents of the cycle_time register.

By providing an embodiment for implementing an authentication procedureas described above, the sink is capable of authenticating the source. Inaddition, the authentication procedure also retains the feature thatonly an authorized sink is capable of generating a correct sink sidecommon session key sk′ as is the case with the embodiment shown in FIG.4.

In the processing implemented by the embodiment shown in FIG. 4, only anauthorized sink having the license key is capable of correctlydecrypting the encrypted source side common session key e to produce asink side common session key sk′ which is equal to the source sidecommon session key sk. Thus, in essence, the embodiment is a systemwherein the source authenticates the sink. In this system, however, evenan unauthorized sink is capable of obtaining an encrypted source sidecommon session key e resulting from encryption of a source side commonsession key sk using a license key lk. It is thus quite within thebounds of possibility that the unauthorized sink decrypts the encryptedsource side common session key e in an attempt to obtain a sink sidecommon session key sk′ which is equal to the source side common sessionkey sk.

FIG. 37 is a diagram showing an embodiment implementing anauthentication procedure for solving the problem described above wherebythe source transmits an encrypted text resulting from encryption of thesource side common session key sk only after the source hasauthenticated the sink as a valid apparatus. The procedure is explainedbelow by referring to FIG. 37. In this embodiment, any encryption modeincluding a feedback loop such as the CBC mode can be adopted as anencryption mode.

Since pieces of processing carried out at steps S281 to S285 of theprocedure shown in the figure are the same as those of the steps S1 toS5 of the procedure shown in FIG. 4, their explanation is not repeated.At a step S286, the DVD player 1 generates random numbers r1 and r2 eachhaving a number of bits determined in advance at typically 64 andconcatenates them to form M1. The procedure then goes on to a step S287at which the DVD player 1 encrypts Ml by using the license key lk togenerate X which is then transmitted to the personal computer 2 at astep S288.

The personal computer 2 receiving X at a step S289 decrypts X by usingthe license key at a step S290 to produce M′ which is regarded asr1′∥r2′, a concatenation of r1′ and r2′ each comprising a predeterminednumber of bits, typically, 64 bits. Then, the procedure proceeds to astep S291 to generate a random number r3 having a predetermined numberof bits, typically, 64. Subsequently, the procedure continues to a stepS292 at which r3 is concatenated with r2′ to form M2. The procedure thengoes on to a step S293 at which M2 is encrypted by using the license keyto generate Y which is then transmitted to the DVD player 1 at a stepS294.

The DVD player 1 receiving Y at a step S295 decrypts Y by using thelicense key lk at a step S296 to form M2′ which is regarded as r3′∥r2″,a concatenation of r3′ and r2″ each comprising a predetermined number ofbits, typically, 64 bits. The procedure then goes on to a step S297 atwhich r2″ is compared with r2 generated at the step S286 to check ifthey are equal to each other. If r2″ is found unequal to r2, the DVDplayer 1 judges the personal computer 2 to be an unauthorized apparatusand hence terminates the authentication protocol. If r2″ is found equalto r2, on the other hand, the procedure proceeds to a step S298 at whichthe DVD player 1 generates a source side common session key sk. Theprocedure then continues to a step S299 at which r3′ is concatenatedwith sk to produce M3. Then, the procedure goes on to a step S300 atwhich M3 is encrypted by using the license key lk to produce anencrypted text Z which is then transmitted to the personal computer 2 ata step S301.

The personal computer 2 receiving Z at a step S302 decrypts Z by usingthe license key at a step S303 to produce M3′ which is regarded asr3″∥sk′, a concatenation of r3″ and sk′ each comprising a predeterminednumber of bits, typically, 64 bits. The procedure then goes on to a stepS304 to check if r3″ is equal to r3 generated at the step S291. If r3″is found unequal to r3, the personal computer 2 judges the DVD player 1to be an unauthorized apparatus and, hence, terminates theauthentication protocol. If r3″ is found equal to r3, on the other hand,the personal computer 2 accepts the sink side common session key sk′produced at the step S303 as the source side common session key sk.

With the authentication protocol implemented by the embodiment describedabove, after the DVD player 1 serving as a source has authenticated thepersonal computer 2 as an authorized sink, the DVD player 1 transmitsthe encrypted text Z resulting from encryption of the source side commonsession key sk to the sink. On the top of that, much like the embodimentshown in FIG. 33, in the case of the present embodiment, even if thesource side common session key sk from which the source produces anencrypted text Z by using the license key lk remains unchanged in asession, Z varies from encryption to encryption during the session dueto the fact that r3′, a variable number, is involved in each encryption.As a result, the present embodiment offers a feature that makes itdifficult for an unauthorized person to steal transmitted information.

However, the embodiment shown in FIG. 37 has a problem if r1, r2, r3 andsk are each n bits in width due to the fact that an n-bit encryptionalgorithm is adopted. This is because, if the first n bits of Y receivedat the step S295 are used as the first n bits of Z at the step S300 asthey are, the source will pass the validity test carried out by the sinkat the step S303 even if the source is an unauthorized apparatus.

Addressing the problem described above, the present invention providesother embodiments shown in FIGS. 38 to 40, diagrams each showing anauthentication protocol whereby, not only does the source transmit anencrypted text resulting from encryption of a source side common sessionkey sk after verifying the validity of the sink, but the sink is alsocapable of authenticating the source. The procedures shown in FIGS. 38and 39 are each a typical modification of the embodiment shown in FIG.37.

First of all, the embodiment implementing an authentication protocol ofFIG. 38 is explained. In this embodiment, any encryption mode includinga feedback loop such as the CBC mode can be adopted as an encryptionmode.

Since pieces of processing carried out at steps S311 to S327 of theprocedure shown in the figure are the same as those of the steps S281 toS297 of the procedure shown in FIG. 37, their explanation is notrepeated. At a step S328, the DVD player 1 generates a random number r4and a sources side common session-key sk each having a number of bitsdetermined in advance at typically 64. The procedure then goes on to astep S329 at which r4 is concatenated with r3′ and sk to produce M3.Then, the procedure proceeds to a step S330 at which M3 is encrypted byusing the license key lk to produce Z which is then transmitted to thepersonal computer 2 at a step S331.

The personal computer 2 receiving Z at a step S332 decrypts Z by usingthe license key at a step S333 to produce M3′ which is regarded asr4′∥r3″∥sk′, a concatenation of r4′, r3″ and sk′ each comprising apredetermined number of bits, typically, 64 bits. The procedure thengoes on to a step S334 to check if r3″ is equal to r3 generated at thestep S321. If r3″ is found unequal to r3, the personal computer 2 judgesthe DVD player 1 to be an unauthorized apparatus and, hence, terminatesthe authentication protocol. If r3″ is found equal to r3, on the otherhand, the personal computer 2 accepts the sink side common session keysk′ produced at the step S333 as the source side common session key sk.

In the embodiment implementing the authentication protocol describedabove, not only does the source transmit an encrypted text resultingfrom encryption of a source side common session key after verifying thevalidity of the sink, but the sink is also capable of authenticating thesource.

Much like the procedure of FIG. 38 described above, the procedure shownin FIG. 39 is also a typical modification of the embodiment shown inFIG. 37. In this embodiment, any encryption mode including a feedbackloop such as the CBC mode can be adopted as an encryption mode.

Since pieces of processing carried out at steps S351 to S361 of theprocedure shown in FIG. 39 are the same as those of the steps S281 toS291 of the procedure shown in FIG. 37, their explanation is notrepeated. At a step S362, the personal computer 2 generates r2′∥r3 asM2. The procedure then goes on to a step S363 at which the personalcomputer 2 encrypts M2 by using the license key to produce Y which isthen transmitted to the DVD player 1 at a step S364.

The DVD player 1 receiving Y at a step S365 decrypts Y by using thelicense key lk at a step S366 to produce M2′ which is regarded asr2″∥r3, a concatenation of r2″ and r3 each comprising a predeterminednumber of bits, typically, 64 bits. The procedure then goes on to a stepS367 to check if r2″ is equal to r2 generated at the step S356. If r2″is found unequal to r2, the DVD player 1 judges the personal computer 2to be an unauthorized apparatus and, hence, terminates theauthentication protocol. If r2″ is found equal to r2, on the other hand,the procedure goes on to a step S368 at which the DVD player 1 generatesa source side common session key sk. The procedure then proceeds to astep S369 at which sk is concatenated with r3′ to produce M3. Then, theprocedure continues to a step S370 at which M3 is encrypted by using thelicense key lk to produce an encrypted text Z which is then transmittedto the personal computer 2 at a step S371.

The personal computer 2 receiving z at a step S372 decrypts z by usingthe license key at a step S373 to produce M3′ which is regarded asr3″∥sk′, a concatenation of r3″ and sk′ each comprising a predeterminednumber of bits, typically, 64 bits. The procedure then goes on to a stepS374 to check if r3″ is equal to r3 generated at the step S361. If r3″is found unequal to r3, the personal computer 2 judges the DVD player 1to be an unauthorized apparatus and, hence, terminates theauthentication protocol. If r3″ is found equal to r3, on the other hand,the personal computer 2 accepts the sink side common session key sk′produced at the step S373 as the source side common session key sk.

In the embodiment implementing the authentication protocol as describedabove, the source transmits an encrypted text resulting from encryptionof a source side common session key sk to the sink after verifying thevalidity of the sink and, in addition, the sink is also capable ofauthenticating the source. On the top of that, much like the embodimentshown in FIG. 33, in the case of the present embodiment, even if thesource side common session key sk from which the source produces anencrypted text Z by using the license key lk remains unchanged in asession, Z varies from encryption to encryption during the session dueto the fact that r4, a variable number generated by the DVD player 1, isinvolved in each encryption. As a result, the present embodiment offersa feature that makes it difficult for an unauthorized person to stealtransmitted information.

FIG. 40 is a diagram showing an embodiment implementing anauthentication protocol having the same functions as those shown inFIGS. 38 and 39. Also in the present embodiment, any encryption modeincluding a feedback loop such as the CBC mode can be adopted as anencryption mode. Since pieces of processing carried out at steps S381 toS384 of the procedure shown in the figure are the same as those of thesteps S1 to S4 of the procedure shown in FIG. 4, their explanation isnot repeated. At a step S385, the DVD player 1 generates a random numberRsrc having a predetermined number of bits, typically, 64 bits. Theprocedure then goes on to a step S386 at which the random number Rsrc istransmitted to the personal computer 2.

Then, the procedure proceeds to a step S387 at which the personalcomputer 2 receives the random number Rsrc. Subsequently, the procedurecontinues to a step S388 at which the personal computer 2 generates arandom number Rsnk having a predetermined number of bits, typically, 64bits. The procedure then goes on to a step S389 at which the randomnumber Rsrc is concatenated with the random number Rsnk to generate M1.Then, the procedure proceeds to a step S390 at which M1 is encrypted byusing the license key to produce X which is then transmitted to the DVDplayer 1 at a step S391.

At a step S392, the DVD player 1 receives X. The procedure then goes onto a step S393 at which a license key lk is computed from an ID assignedto the personal computer 2 and a service key. At a step S394, thelicense key lk is used for decrypting X to produce M1′ which is regardedas Rsnk′∥Rsrc′, a concatenation of Rsnk′ and Rsrc′ each comprising apredetermined number of bits, typically, 64 bits. Then, the procedureproceeds to a step S395 to check if Rsrc′=Rsrc. If Rsrc′ is foundunequal to Rsrc, the personal computer 2 is judged to be an unauthorizedapparatus in which case the authentication protocol is terminated. IfRsrc′ is found equal to Rsrc, on the other hand, the procedure proceedsto a step S396 at which the DVD player 1 generates a source side commonsession key sk. Subsequently, the procedure continues to a step S397 atwhich Rsrc is concatenated with Rsnk′ and sk to generate M2. Theprocedure then goes on to a step S398 at which M2 is encrypted by usingthe license key lk to produce Y which is then transmitted to thepersonal computer 2 at a step S399.

The personal computer 2 receiving Y at a step S400 decrypts Y by usingthe license key at a step S401 to produce M3 which is regarded asRsrc″∥Rsnk″∥sk′, a concatenation of Rsrc″, Rsnk″ and sk′ each comprisinga predetermined number of bits, typically, 64 bits. The procedure thengoes on to a step S402 to check if Rsnk″ is equal to Rsnk generated atthe step S388. If Rsnk″ is found unequal to Rsnk, the personal computer2 judges the DVD player 1 to be an unauthorized apparatus in which casethe sink side common session key sk′ is discarded. If Rsnk″ is foundequal to Rsnk, on the other hand, sk′ is accepted as a common sessionkey.

In the embodiment implementing the authentication protocol as describedabove, the source transmits an encrypted text resulting from encryptionof a source side common session key sk to the sink after verifying thevalidity of the sink and, in addition, the sink is also capable ofauthenticating the source. On the top of that, much like the embodimentshown in FIG. 33, in the case of the present embodiment, even if thesource side common session key sk from which the source produces anencrypted text Y by using the license key lk remains unchanged in asession, Y varies from encryption to encryption during the session dueto the fact that Rsrc, a variable number generated by the DVD player 1,is involved in each encryption. As a result, the present embodimentoffers a feature that makes it difficult for an unauthorized person tosteal transmitted information.

In the embodiments described above, the DVD player 1 serves as a sourcewhile the personal computer 2 and the optical magnetic disc apparatus 3each serve as a sink. It should be noted that the description is notintended to be construed in a limiting sense. That is to say, anyarbitrary electronic apparatus can be used as a source or a sink.

In addition, while the 1394 serial bus 11 is used as an external bus forconnecting the electronic apparatuses composing a data processing systemto each other, the scope of the present embodiment is not limited tosuch embodiments. That is, a variety of buses can be used as an externalbus and electronic apparatuses connected to each other by the externalbus are not limited to those employed in the embodiments describedabove. Any arbitrary electronic apparatuses can be used to compose thedata processing system.

It is also worth noting that a variety of programs consisting ofinstructions to be executed by CPUs are presented to the user throughproviding media such a magnetic disc, a CD-ROM disc and a network andcan be used, if necessary, by storing the programs in a RAM unit or ahard disc incorporated in the electronic apparatus.

In an information processing apparatus, an information processing methodand a recording medium provided by the present invention, a 1st key LKis generated on the basis of identification data received from anotherinformation processing apparatus and a 2nd key SVK representingpredetermined information to undergo predetermined processing. As aresult, security of transmitted information can be assured with a highdegree of reliability.

In addition, in another information processing apparatus, anotherinformation processing method and another recording medium provided bythe present invention, a 1st key SVK representing predeterminedinformation to undergo predetermined processing and a predeterminedfunction are stored in advance. A 2nd key LK is generated by applicationof the predetermined function to identification data received fromanother information processing apparatus and the 1st key SVK. A 3rd keySK is further generated, encrypted by using the 2nd key LK andtransmitted to the other information processing apparatus. As a result,it is possible to allow only another authenticated informationprocessing apparatus to carry out predetermined processing oninformation transmitted thereto, further assuring the security of theinformation.

With an information processing system, a further information processingmethod and a further recording medium provided by the present invention,in the 1st information processing apparatus, a 1st key SVK associatedwith information to be transmitted to the 2nd information processingapparatus and a predetermined function are stored in advance. A 2nd keyLK1 is generated by application of the predetermined function toidentification data assigned to and received from the 2nd informationprocessing apparatus and the 1st key SVK. A 3rd key SKi is furthergenerated, encrypted by using the 2nd key LK2 and transmitted to the 2ndinformation processing apparatus. In the second information processingapparatus, on the other hand, identification data assigned to the 2ndinformation processing apparatus, that is, the 2nd informationprocessing apparatus' own identification data unique to the 2ndinformation processing apparatus, and a 4th key LK2 representing apermission to carry out predetermined processing on predeterminedinformation received from the 1st information processing apparatus arestored in advance. The encrypted 3rd key received from the 1stinformation processing apparatus is decrypted back into the 3rd key SK1by using the 4th key LK2. As a result, an information processing systemoffering a high security of transmitted information can be implemented.

On the top of that, according to a still further information processingapparatus, a still further information processing method and a stillfurther recording medium provided by the present invention, a 1st keyLK, a 2nd key LK′ and a predetermined function G are stored in advance.The 2nd key LK′ is generated in advance on the basis of the 1st key LKand the inverse function G^−1 of the predetermined function G. As aresult, security of transmitted information can be assured with a highdegree of reliability.

Furthermore, according to a still further information processingapparatus, a still further information processing method and a stillfurther recording medium provided by the present invention, data H isgenerated by application of a predetermined function to identificationdata assigned to and received from another information processingapparatus and a 1st key SVK. A 2nd key SK is then encrypted by using apseudo random number pRNG (H) generated from the data H and transmittedto the other information processing apparatus. As a result, aninformation processing apparatus offering a high security of transmittedinformation can be implemented.

In addition, with a still further information processing system, a stillfurther information processing method and a still further recordingmedium provided by the present invention, in the 1st informationprocessing apparatus, data H is generated by application of a 1stfunction h to identification data assigned to and received from the 2ndinformation processing apparatus and a 1st key SVK. A 2nd key SK isencrypted by using a pseudo random number pRNG (H) generated from thedata H and transmitted to the 2nd information processing apparatus. Inthe 2nd information processing apparatus, on the other hand, a 3rd keyLK, a 4th key LK′ and a predetermined function G are stored in advance.The 4th key LK′ is generated on the basis of the 3rd key LK and theinverse function G^−1 of the predetermined function G. As a result, aninformation processing system offering a high security of transmittedinformation can be implemented.

1. A data receiving apparatus for decrypting data received from otherequipment using said apparatus′ own key and information also receivedfrom said other equipment, said apparatus comprising: a signal receivingmeans for receiving a signal from a partner apparatus; a text decryptingmeans for decrypting an encrypted text received by said signal receivingmeans; and a signal transmitting means for transmitting a signal to apartner apparatus, wherein: said signal receiving means receives an IDrequesting signal, a 1st encrypted text and a 3rd encrypted text; saidtext decrypting means: generates a 1st random number by decrypting said1st encrypted text; generates a 2nd random number; generates a 2ndencrypted text by encrypting said 1st random number and 2nd randomnumber with a license key; generates a 3rd random number and a sessionkey by decrypting said 3rd encrypted text with license key; comparessaid 2nd random number with said 3rd random number included in said 3rdencrypted text received by said signal receiving means; and discard saidsession key only if a result of comparison satisfies a predeterminedcondition; and said signal transmitting means transmits an ID and said2nd encrypted text.
 2. A data receiving apparatus for decrypting datareceived from other equipment using said apparatus′ own key andinformation also received from said other equipment, said apparatuscomprising: a signal receiving means for receiving a signal from apartner apparatus; a text decrypting means for decrypting an encryptedtext received by said signal receiving means; and a signal transmittingmeans for transmitting a signal to a partner apparatus, wherein: saidsignal receiving means receives an ID requesting signal, a 1st randomnumber and a 2nd encrypted text; said text decrypting means: generates a2nd random number; generates a 1st encrypted text by encrypting saidgenerated 2nd random number and said 1st random number received by saidsignal receiving means with a license key; generates a 3rd random numberand a session key by decrypting said 2nd encrypted text with licensekey; compares said generated 2nd random number with said 3rd randomnumber included in said 2nd encrypted text received by said signalreceiving means; and discard said session key only if a result ofcomparison satisfies a predetermined condition; and said signaltransmitting means transmits an ID and said 1st encrypted-text.
 3. Adata receiving method for decrypting data received from other equipmentusing a key and information also received from said other equipment,said method comprising the steps of: receiving an ID requesting signal;transmitting an ID; receiving a 1st encrypted text; generating a 1strandom number by decrypting said 1st encrypted text with a license key;generating a 2nd random number; generating a 2nd encrypted text byencrypting said generated 2nd random number and a 1st random numberincluded in said received 1st encrypted text with said license key;transmitting said 2nd encrypted text; receiving a 3rd encrypted text;generating a session key and a 3rd random number by decrypting said 3rdencrypted text with said license key comparing said generated 2nd randomnumber and said 3rd random number included in said received 3rdencrypted text; and discard said session key only if a result ofevaluation satisfies a predetermined condition.
 4. A data receivingmethod for decrypting data received from other equipment using a key andinformation also received from said other equipment, said methodcomprising, the steps of: receiving an ID requesting signal;transmitting an ID; receiving a 1st random number; generating a 2ndrandom number; generating a 1st encrypted text by encrypting saidgenerated 2nd random number and said received 1st random number with alicense key; transmitting said 1st encrypted text; receiving a 2ndencrypted text; generating a session key and a 3rd random number bydecrypting said 2nd a encrypted text with said license key; evaluatingsaid generated 2nd random number and a 3rd random number included insaid received 2nd encrypted text; and discard said session key only if aresult of evaluation satisfies a predetermined condition.
 5. A computerreadable recording medium for storing a program executed by a computerprescribing a data receiving method for decrypting data received fromother equipment using a key and information also received from saidother equipment, said method comprising the steps of; receiving an IDrequesting signal; transmitting an ID; receiving a 1st encrypted text;generating a 1st random number by decrypting said 1st encrypted textwith a license key; generating a 2nd random number; generating a 2ndencrypted text by encrypting said generated 2nd random number and a 1strandom number included in said received 1st encrypted text with saidlicense key; transmitting said 2nd encrypted text; receiving a 3rdencrypted text; generating a session key and a 3rd random number bydecrypting said 3rd encrypted text with said license key comparing saidgenerated 2nd random number and said 3rd random number included in saidreceived 3rd encrypted text; and discard said session key only if aresult of evaluation satisfies a predetermined condition.
 6. A computerreadable recording medium for storing a program executed by a computerprescribing a data receiving method for decrypting data received fromother equipment using a key and information also received from saidother equipment, said method comprising the steps of: receiving an IDrequesting signal; transmitting an ID; receiving a 1st random number;generating a 2nd random number; generating a 1st encrypted text byencrypting said generated 2nd random number and said received 1st randomnumber with a license key; transmitting said 1st encrypted text;receiving a 2nd encrypted text; generating a session key and a 3rdrandom number by decrypting said 2nd encrypted text with said licensekey; evaluating said generated 2nd random number and a 3rd random numberincluded in said received 2nd encrypted text; and discard said sessionkey only if a result of evaluation satisfies a predetermined condition.